Jannik Hartung, Simon Koch, and Martin Johns, Technische Universität Braunschweig
Awarded Best Paper!
The extract call in PHP poses a similar threat to the security of a PHP application, if used naively, as the register_globals configuration that has been removed from PHP in version 5.3. We provide an attack analysis of its usage, showing the impact that unsafe usage can have. To understand how the security impact of extract manifests, we conduct a large-scale static analysis of 28325 open-source PHP projects to detect its insecure usage. Subsequently, we investigate each detected potentially vulnerable call manually to assess its security implications for the surrounding project and discover a total of 154 injection vulnerabilities and 86 CFG high jacking threats, including 60 privilege escalations. Thus demonstrating the danger of extract. As our final contribution, we discuss multiple paths forward for PHP to mitigate the dangers of this call.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Jannik Hartung and Simon Koch and Martin Johns},
title = {Extract: A {PHP} {Foot-Gun} Case Study},
booktitle = {19th USENIX WOOT Conference on Offensive Technologies (WOOT 25)},
year = {2025},
isbn = {978-1-939133-50-2},
address = {Seattle, WA},
pages = {249--262},
url = {https://www.usenix.org/conference/woot25/presentation/hartung},
publisher = {USENIX Association},
month = aug
}
