In PHP we can pass arguments to a function dynamically during runtime. For example have look at this example.
I have used call_user_func_array() to pass the arguments to the function. The syntax would be:
Since I have used $_GET we can pass the function and its arguments during runtime.
When we pass the URL like that the actual parameters would be like the following.
call_user_func_array("user", ['Osanda', 'secret', 'email@example.com']);
Don’t you see the loophole? 😉 Why not we can call any PHP function. The first thing that comes to my mind is phpinfo()
What about code execution? Yeah it is possible. For example we can call passthru() and pass the arguments nicely.
http://localhost/?func=passthru&args=systeminfo | findstr /C:"OS"
The simplest way to mitigate these kind of arbitrary calling of functions you could add a prefix to your functions. You can of course think of better solutions than this depending on your situation. But in this case for example instead of:
function User($user, $pass, $email)
you can add something like
function secure_User($user, $pass, $email)
Also make sure you concatenate the prefix to the GET request in call_user_func_array()
Now if you try to request any arbitrary function PHP will throw an error since we have concatenated “secure_” prefix to the calling function.
Thanks for reading!