[PHP] date() is evil (XSS’able)
I was playing with PHP (As usual) and i was thinking about date()
It’s a PHP function that displays date in different formats.
According to the documentation: “Unrecognized characters in the format string will be printed as-is.”
So what if i try to insert HTML there as well?
I tried <?php echo date(‘<img src=x onerror=alert(\’XSS\’)>’; ?>
But all characters are accepted in the format so the output was:
<59033 32Tue, 04 Mar 2014 15:59:32 +00002014-03-04T15:59:32+00:00=x 20143UTCTue, 04 Mar 2014 15:59:32 +0000Tue, 04 Mar 2014 15:59:32 +00002014Tue, 04 Mar 2014 15:59:32 +0000=pmTuesdayUTCTue, 04 Mar 2014 15:59:32 +000031(‘Xthth’)>
Obviously that’s not gonna give us the XSS payload, the page also says:
“You can prevent a recognized character in the format string from being expanded by escaping it with a preceding backslash. If the character with a backslash is already a special sequence, you may need to also escape the backslash.”
So i tried to escape the characters i supplied with a backslash.
echo date(‘<\i\m\g \s\r\c=x \o\n\e\r\r\o\r=\a\l\e\r\t(\’X\S\S\’)\>’);
And viola! i saw the magic message box!
So filter the output of date like you would filter and user submitted input.
And if you don’t think someone would do echo date($_GET[‘date’])………… THINK AGAIN!
date() is evil, don’t trust it.
I received many comments saying this is not something new and not a bug, and that’s absolutely right this is just a friendly reminder to filter your output not a “vulnerability” in the function i never claimed that. this is the expected behavior and it’s mentioned in php.net documentation.