Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27359 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 45033 invoked by uid 1010); 11 Jan 2007 16:05:04 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 44999 invoked from network); 11 Jan 2007 16:05:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Jan 2007 16:05:04 -0000 Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.146.188 cause and error) X-PHP-List-Original-Sender: sesser@hardened-php.net X-Host-Fingerprint: 81.169.146.188 mo-p07-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.188] ([81.169.146.188:14766] helo=mo-p07-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 86/10-42349-31066A54 for ; Thu, 11 Jan 2007 11:04:36 -0500 Received: from [192.168.1.77] (p5B005093.dip.t-dialin.net [91.0.80.147]) by post.webmailer.de (mrclete mo30) (RZmta 3.11) with ESMTP id j0BF2aCl0026b9; Thu, 11 Jan 2007 17:04:30 +0100 (MET) Date: Thu, 11 Jan 2007 17:04:30 +0100 (MET) Message-ID: <45A6600D.1090500@hardened-php.net> User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Rasmus Lerdorf CC: Alain Williams , internals@lists.php.net, kel@securityfocus.com References: <20070111144144.GV15998@mint.phcomp.co.uk> <45A65B19.40900@lerdorf.com> In-Reply-To: <45A65B19.40900@lerdorf.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Comments on PHP security From: sesser@hardened-php.net (Stefan Esser) Hello Rasmus, > There are some concrete suggestions in the article that we addressed a > while ago. Things like: > > "I'd like to see new defaults that limit include() and require() to > only allow local files, thereby avoiding remote file injection." > > That's the default in PHP 5.2.0 which was released over 2 months ago now. > This is not true. It was demonstrated several times that the "protection" is easily bypassed by using data:// or php://input URLs. Maybe this is fixed in PHP 5.2.1 but it is not in 5.2.0. And it certainly is no protection at all when someone can just use one of the other URL wrappers of PHP that are considered safe and put in an overlong URL that produces a stack overflow. (Hello zip://) > Another thing to keep in mind is that there are two very distinct > security issues here. Remote vs. Local issues. Just about every > reported security problem against PHP itself has been of the Local > variety. That means that it is a flaw in our various attempts to > What a blatant lie. PHP had several bufferoverflows etc... in functions often exposed to user input and some direct remote exploits in the past. To just name a few: htmlentities() overflow, about a million bugs in unserialize(), fileupload exploits, memory_limit exploits, ... Last year there was f.e. the zend_hash_del_key_or_index vulnerability that exposed a large number of PHP applications to remote attacks. Ah yes and If I had not babysitted the CVS in the past there would be even more direct remote exploits against PHP, like the HTTP Digest Auth double free vulnerability. And yes, only looking at local holes, PHP has more than enough of them. > In this case you could have a mod_security rule to disallow ../.. style > patterns in URLs. But if someone found a way to still sneak that > pattern through, perhaps because of a bug in mod_security related to > There is nothing more trivial than sneaking something through the combination mod_security + PHP. > tag, it might slip through. Next, ext/filter kicks in with a default > filter of "special_chars" for example and changes " to " and the > Maybe, if ext/filter would be bug free... Stefan Esser PS: Stop the "We are secure" marketing and face reality