Executable Regular Expression Error
Incomplete Base
Structure: Simple
Description
The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.
Common Consequences 1
Scope: ConfidentialityIntegrityAvailability
Impact: Execute Unauthorized Code or Commands
Potential Mitigations 1
Phase: Implementation
The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as \Q and \E in Perl.
Observed Examples 4
CVE-2006-2059Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace
CVE-2005-3420Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace
CVE-2006-2878Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the "/e" modifier
CVE-2006-2908Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.
Applicable Platforms
Languages:
PHP : UndeterminedPerl : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
Taxonomy Mapping
- Software Fault Patterns
Notes
Research GapUnder-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.