Sat, 10 Mar 2007


Since PHP 5.2.0 there is a new filtering extension in PHP that is on the one hand supposed to be used by applications to filter user input and on the other hand able to enforce site wide filtering.

However due to its broken design it is possible to sneak POST data through the site wide filter when PHP is compiled with FDF support.

Affected versions

Affected is PHP <= 5.2.0

Detailed information

With PHP 5 a number of input filtering hooks were added to PHP that were only used by Yahoo until the Hardened-PHP Project put some work in them and fixed some obvious bugs. From that day the Hardened-PHP Patch came with a varfilter extension that made use of these hooks to filter user input by variable count, size, shape.

Then the PHP developers developed ext/filter that was supposed to be bundled with PHP and broke the input filtering system. Because ext/filter does take over the input filtering system and does not give control back to previously defined input filters the new input filtering hooks are dead. The PHP developers knew that Hardened-PHP used these hooks but that did not stop them from intentionally breaking it.

The input filtering hooks are designed in a way that at all places were user input is parsed and registered as variables a call to the input filter is added that decides what todo with the variables. The problem with this is that all extensions that add support for other POST content-types need to also implement the hooks, otherwise the data goes unfiltered through.

With ext/fdf PHP ships an extension that does add the FDF POST data format but does not call the input filtering. Therefore it is possible to bypass all site wide enforced filters

Proof of concept, exploit or instructions to reproduce

Attached is an exploit that converts the _POST array into POST data in the application/vnd.fdf format and POST it to a URL, bypassing the site wide filter enforced by ext/filter.


PHP's new filtering extension is the next misdesigned feature of PHP that will most probably cause a lot of headaches to developers and especially admins.

First of all the filtering hooks are at the wrong place so that again the filtering will only take place when all loaded extensions (including 3rd party ones) that deal with user input add calls to the filtering hooks.

And secondly ext/filter is written in a way that other people's filtering extension will not work anymore, because ext/filter does grab the filtering hooks and does not perform daisy chaining. The PHP developers intentionally broke the varfilter extension of Hardened-PHP with this. However Suhosin that should be used instead of HPHP anyway, does work with ext/filter.

And last but not least ext/filter is of course only an optional extension that can be disabled by the admin any time and therefore any PHP applications that relies on it for input filtering will only work if the input filtering extensions is installed.