On Thu, Jul 13, 2023 at 10:25 PM Sergii Shymko <ser...@shymko.net> wrote:
> For instance, functions parse_ini_string() and parse_ini_file() do support
> the aforementioned env variables syntax, because the underlying code is
> reused. That means that these functions can potentially be exploited to
> read sensitive information!
>
> For example:
> AWS_SECRET_ACCESS_KEY=amazonWebServicesSecretAccessKeyExample1 php -r
> 'var_export(parse_ini_string("secret=\${AWS_SECRET_ACCESS_KEY}"));'
> array (
> 'secret' => 'amazonWebServicesSecretAccessKeyExample1',
> )
>
If you find any way to exploit this, you've already breached enough to
have sufficient access to read the entire environment available to the PHP
user anyway (for example, you already had a way to inject arbitrary code
into a script which is eval'd or whatever...) in which case, why would you
care about parse_ini_string when you could just e.g. var_dump(getenv())?
