Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27439 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 16505 invoked by uid 1010); 14 Jan 2007 11:18:13 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 16490 invoked from network); 14 Jan 2007 11:18:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Jan 2007 11:18:13 -0000 Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.146.190 cause and error) X-PHP-List-Original-Sender: sesser@hardened-php.net X-Host-Fingerprint: 81.169.146.190 mo-p07-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.190] ([81.169.146.190:35132] helo=mo-p07-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D8/58-20730-F611AA54 for ; Sun, 14 Jan 2007 06:18:08 -0500 Received: from [192.168.1.77] (p5B005BC6.dip.t-dialin.net [91.0.91.198]) by post.webmailer.de (mrclete mo2) (RZmta 3.11) with ESMTP id j0E8FRLG00230M; Sun, 14 Jan 2007 12:18:04 +0100 (MET) Date: Sun, 14 Jan 2007 12:18:04 +0100 (MET) Message-ID: <45AA116F.7020109@hardened-php.net> User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Stanislav Malyshev CC: Marcus Boerger , "internals@lists.php.net" References: <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de> In-Reply-To: X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Comments on PHP security From: sesser@hardened-php.net (Stefan Esser) Stanislav, you obviously did not get the point... It is not about including URL stream wrappers that youself provide. It is about URL Include vulnerabilities in the application that allow remote attackers to issue attacks against Userstreams of the application. I would not be suprised to see some Wrapper Userstream that actually allows specifying a remote URL (something like php://filter just as userstream). And If I am not completely mistaken here unlike php://filter a userstream will not give the THIS_IS_AN_INCLUDE_FLAG down to a stream itself opens. PS: Don't tell me that userstreams are not available at the time of the include... I have seen enough stuff like include "base.lib.php"; ... include $templatepath."/header.php"; ... include $templatepath."/footer.php"; Stefan Esser