the Month of PHP Security

PHP’s unpack() function can be interrupted and used for information leakage due to call time pass by reference.
(more…)

PHP’s preg_match() function can be interrupted by an object destructor causing information leaks due to call time pass by reference.
(more…)

PHP’s parse_str() function can be interrupted by deeply nested arrays which can lead to memory corruption and arbitrary code execution.
(more…)

PHP’s substr_replace() function can be abused for information leak attacks, because of the call time pass by reference feature.
(more…)

PHP’s trim()/ltrim()/rtrim() function can be abused for information leak attacks, because of the call time pass by reference feature.
(more…)

PHP’s str_pad() function can be abused for information leak attacks, because of the call time pass by reference feature.
(more…)

PHP’s str_word_count() function can be abused for information leak attacks, because of the call time pass by reference feature.
(more…)

PHP’s wordwrap() function can be abused for information leak attacks, because of the call time pass by reference feature.
(more…)

PHP’s strtok() function can be abused for information leak attacks, because of the call time pass by reference feature.
(more…)

PHP’s setcookie() function can be abused for information leak attacks, because of the call time pass by reference feature.
(more…)