current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 16 down vote favorite
2

http://phptester.net/ yields the warning

WARNING base64_decode() has been disabled for security reasons

Why?

Besides the obvious vulnerabilities that have nothing to do with base64_decode (treating it as encryption, as a hash, evaluating base64_decoded data, etc) why would simply executing it be a security vulnerability?

share|improve this question
4  
Probably because phptester has some major vulnerabilities, and one of the exploits required in base64_decode, so they decided to disable it. Based on that theory, I wouldn't be surprised if their security was something like: if(strstr($code, "eval") !== false || strstr($code, "readfile") !== false || ...) {echo "Security fail!"; exit;} – immibis 7 hours ago
up vote 16 down vote accepted

why would simply executing it be a security vulnerability?

It's not.

base64_decode does exactly what you would expect: It decodes a string.

There are also no know vulnerabilities in it, nor have there been in the past (there was an integer overflow issue in base64_encode - CVE-2003-0861 - but PHP does not consider it a security issue).

I would assume that http://phptester.net/ bans it because it can be used to obfuscate data. They may have some filters in place to prevent execution of dangerous code and may worry that base64_decode could be used to bypassed these filters. I don't think that this is necessary or useful, but that might be their train of thought.

share|improve this answer
8  
Arguably the dumbest part of that line of reasoning is that a malicious user could probably just write their own decoder. – jpmc26 9 hours ago
4  
@jpmc26 Someone actually wrote most of PHP in PHP, so yeah... The work is already done! :P github.com/ircmaxell/PHPPHP – zenware 8 hours ago
    
phptester.net does not allow eval anyways, so it's not like you can stuff the output of base64_decode into eval. – DepressedDaniel 7 hours ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.