Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29608 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 9810 invoked by uid 1010); 21 May 2007 07:55:53 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 9794 invoked from network); 21 May 2007 07:55:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 May 2007 07:55:52 -0000 Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.159.221 cause and error) X-PHP-List-Original-Sender: sesser@hardened-php.net X-Host-Fingerprint: 81.169.159.221 hardened-php.net Linux 2.4/2.6 Received: from [81.169.159.221] ([81.169.159.221:37940] helo=mail.hardened-php.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 70/F1-30777-48051564 for ; Mon, 21 May 2007 03:55:50 -0400 Received: from [192.168.1.77] (p5B0072A8.dip.t-dialin.net [91.0.114.168]) by mail.hardened-php.net (Postfix) with ESMTP id 9FBDC1202B3; Mon, 21 May 2007 08:31:48 +0200 (CEST) Message-ID: <46515088.6060505@hardened-php.net> Date: Mon, 21 May 2007 09:55:52 +0200 User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Stanislav Malyshev Cc: David , internals@lists.php.net References: <465022BE.1020905@hardened-php.net> <7d5a202f0705201415s71982fd2jb61b8bffbb7ba6de@mail.gmail.com> <46513546.5000303@zend.com> <7d5a202f0705202303s2ff4d0cdg1157c1e245c3c2e4@mail.gmail.com> <46513745.7030701@zend.com> <000001c79b71$543e0970$fcba1c50$@com> <46513E93.5000902@hardened-php.net> <465140BE.8050502@zend.com> <4651454B.4080000@hardened-php.net> <465149FE.4070100@zend.com> In-Reply-To: <465149FE.4070100@zend.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Dismantling the lies... From: sesser@hardened-php.net (Stefan Esser) Stanislav Malyshev schrieb: >> Well yes. I think to solve this "once and for all" a public statement by >> the PHP group would be nice that says: > > I don't think they are "not important", just that they are not > important enough to want them fixed no matter the cost. Running shared > hosted server in a mode that relies on restricted code IMO is wrong > anyway, and for non-shared environment these problems could be > exploited only if specifically enabled by very badly written code. So > when there's a trade-off between having the language work better for > 100% of cases or protect those who run broken code on their servers - > the choice would be to make language run better. Again, that doesn't > mean bugs shouldn't be fixed - just the fix shouldn't make the > situation worse. Unfortunately we live in the real world, where people usually break into servers that run bad PHP code. And the more tight you make the OS, like CGI, separate user account, no write access to document root, chrooted document root,... The more obvious it becomes that local vulnerabilities matter. Because in such a environment you CANNOT break out of it with plain PHP code. You need to execute arbitrary machine code. Remote PHP Code Execution Vulnerabilities will not be dead when allow_url_include is installed and disabled everywhere. Just keep in mind that the most popular PHP worm ever (Santy) that exploited phpBB was attacking through the /e modifier of preg_replace(). Really Bad Code exists everywhere and admins have a very bad feeling in their stomach when they have to install PHP applications. Stefan Esser