Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27361 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51573 invoked by uid 1010); 11 Jan 2007 16:13:32 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 51558 invoked from network); 11 Jan 2007 16:13:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Jan 2007 16:13:32 -0000 Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.5 (sometimes 2.4) (4) Received: from [204.11.219.139] ([204.11.219.139:52975] helo=lerdorf.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 62/71-42349-B2266A54 for ; Thu, 11 Jan 2007 11:13:32 -0500 Received: from [192.168.200.104] (c-67-169-43-97.hsd1.ca.comcast.net [67.169.43.97]) (authenticated bits=0) by lerdorf.com (8.13.8/8.13.8/Debian-3) with ESMTP id l0BGDPrD010864; Thu, 11 Jan 2007 08:13:25 -0800 Message-ID: <45A66224.8030809@lerdorf.com> Date: Thu, 11 Jan 2007 08:13:24 -0800 User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Stefan Esser CC: Alain Williams , internals@lists.php.net, kel@securityfocus.com References: <20070111144144.GV15998@mint.phcomp.co.uk> <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net> In-Reply-To: <45A6600D.1090500@hardened-php.net> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Comments on PHP security From: rasmus@lerdorf.com (Rasmus Lerdorf) Stefan Esser wrote: > Hello Rasmus, >> There are some concrete suggestions in the article that we addressed a >> while ago. Things like: >> >> "I'd like to see new defaults that limit include() and require() to >> only allow local files, thereby avoiding remote file injection." >> >> That's the default in PHP 5.2.0 which was released over 2 months ago now. >> > This is not true. It was demonstrated several times that the > "protection" is easily bypassed by using data:// or php://input URLs. > Maybe this is fixed in PHP 5.2.1 but it is not in 5.2.0. And it > certainly is no protection at all when someone can just use one of the > other URL wrappers of PHP that are considered safe and put in an > overlong URL that produces a stack overflow. (Hello zip://) Yes, this has been fixed. And I didn't say it was bug free. Nothing is ever bug free, but that the feature was introduced. >> Another thing to keep in mind is that there are two very distinct >> security issues here. Remote vs. Local issues. Just about every >> reported security problem against PHP itself has been of the Local >> variety. That means that it is a flaw in our various attempts to >> > What a blatant lie. PHP had several bufferoverflows etc... in functions > often exposed to user input and some direct remote exploits in the past. > To just name a few: htmlentities() overflow, about a million bugs in > unserialize(), fileupload exploits, memory_limit exploits, ... Last year > there was f.e. the zend_hash_del_key_or_index vulnerability that exposed > a large number of PHP applications to remote attacks. Ah yes and If I > had not babysitted the CVS in the past there would be even more direct > remote exploits against PHP, like the HTTP Digest Auth double free > vulnerability. And yes, only looking at local holes, PHP has more than > enough of them. Sure, but the majority were still local. Some of the local ones can of course be triggered remotely given the right circumstances which is why they are still very important to fix. We fix them as fast as we can and appreciate any help we get from you and others on this front. > PS: Stop the "We are secure" marketing and face reality This isn't "we are secure" marketing. This is simply explaining what we are doing to make PHP more secure. -Rasmus