Home » Miscellaneous

[PHP] date() is evil (XSS’able)

4 March 2014 4 Comments

I was playing with PHP (As usual) and i was thinking about date()

It’s a PHP function that displays date in different formats.

According to the documentation: “Unrecognized characters in the format string will be printed as-is.”

So what if i try to insert HTML there as well?

I tried <?php echo date(‘<img src=x onerror=alert(\’XSS\’)>'; ?>

But all characters are accepted in the format so the output was:
<59033 32Tue, 04 Mar 2014 15:59:32 +00002014-03-04T15:59:32+00:00=x 20143UTCTue, 04 Mar 2014 15:59:32 +0000Tue, 04 Mar 2014 15:59:32 +00002014Tue, 04 Mar 2014 15:59:32 +0000=pmTuesdayUTCTue, 04 Mar 2014 15:59:32 +000031(‘Xthth’)>

Obviously that’s not gonna give us the XSS payload, the page also says:
“You can prevent a recognized character in the format string from being expanded by escaping it with a preceding backslash. If the character with a backslash is already a special sequence, you may need to also escape the backslash.”

So i tried to escape the characters i supplied with a backslash.
<?php
echo date(‘<\i\m\g \s\r\c=x \o\n\e\r\r\o\r=\a\l\e\r\t(\’X\S\S\’)\>’);
?>

And viola! i saw the magic message box!

So filter the output of date like you would filter and user submitted input.

And if you don’t think someone would do echo date($_GET[‘date’])………… THINK AGAIN!

http://phpkurs.se/php/ajax-med-jquery-och-php.html
http://forums.phpfreaks.com/topic/199191-strtotime-1-day-with-a-variable/
http://www.neosoftware.com/community/viewtopic.php?p=11206894&sid=b13ae2cbf369c22a67e659507275b2a3#p11206894
http://www.sitepoint.com/forums/showthread.php?280665-pulling-year-from-url-parameter-in-echo-statement&s=c5e4995b2c0adedf41dc0876ae337750&p=2031078&viewfull=1#post2031078
http://www.computercraft.info/forums2/index.php?/topic/4806-luacode-wantedreal-time/page__view__findpost__p__37833

date() is evil, don’t trust it.

EDIT

I received many comments saying this is not something new and not a bug, and that’s absolutely right this is just a friendly reminder to filter your output not a “vulnerability” in the function i never claimed that. this is the expected behavior and it’s mentioned in php.net documentation.

4 Comments »

  • nassimweb15 said:

    Which version ?

  • 0xAli (author) said:

    PHP 5.3.13 but it should run everywhere. It’s not a bug in a specific version it’s a feature.

  • anon said:

    I can not occur in the input form.
    Do not see the GET method?

  • 0xAli (author) said:

    I don’t understand what do you mean but it happens if you feed it the user input without validation, just like “echo” “print” etc.

Your opinion matters!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.