Extract: A PHP Foot-Gun Case Study

Abstract

The extract call in PHP poses a similar threat to the security of a PHP application, if used naively, as the register_globals configuration that has been removed from PHP in version 5.3. We provide an attack analysis of its usage, showing the impact that unsafe usage can have. To understand how the security impact of extract manifests, we conduct a large-scale static analysis of 28325 open-source PHP projects to detect its insecure usage. Subsequently, we investigate each detected potentially vulnerable call manually to assess its security implications for the surrounding project and discover a total of 154 injection vulnerabilities and 86 CFG high jacking threats, including 60 privilege escalations. Thus demonstrating the danger of extract. As our final contribution, we discuss multiple paths forward for PHP to mitigate the dangers of this call.