Description
The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands
Potential Mitigations
Phase: Implementation
Description:
The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as Q and E in Perl.
CVE References
- CVE-2006-2059
- Executable regexp in PHP by inserting “e” modifier into first argument to preg_replace
- CVE-2005-3420
- Executable regexp in PHP by inserting “e” modifier into first argument to preg_replace
- CVE-2006-2878
- Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the “/e” modifier
- CVE-2006-2908
- Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.