Php Call Func Insecure Functionality
Description
Detects unsafe usage of PHP's call_user_func() where the callback parameter could be controlled by an attacker. This vulnerability could allow execution of arbitrary PHP functions if the callback argument comes from an untrusted source, potentially leading to remote code execution.
Detection Strategy
• Identifies calls to PHP's call_user_func() function in the code
• Checks if the first parameter (callback) comes from an unsafe source like user input or concatenation
• Verifies that the callback parameter is not properly sanitized or validated
• Reports a vulnerability when call_user_func() is called with an unsafe, unsanitized callback parameter
Vulnerable code example
<?php
// Directly using unvalidated user input in call_user_func is dangerous
$out1 = call_user_func($_GET['cb'], $_GET['val']);
// Still vulnerable - attacker can control callback via cookie
$cb = $_COOKIE['cb'] ?? 'strtoupper';
$val = $_COOKIE['val'] ?? 'demo';
$out2 = call_user_func($cb, $val);✅ Secure code example
<?php
// Define allowlist of safe callback functions
$allowed_callbacks = ['strtoupper', 'strtolower', 'trim', 'strlen'];
// Example 1: Validate callback against allowlist before execution
$cb = $_GET['cb'] ?? 'strtoupper';
$val = $_GET['val'] ?? '';
if (in_array($cb, $allowed_callbacks, true)) { // Strict comparison for safety...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.