Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29629 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 31462 invoked by uid 1010); 21 May 2007 17:08:25 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 31447 invoked from network); 21 May 2007 17:08:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 May 2007 17:08:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender) X-PHP-List-Original-Sender: stas@zend.com X-Host-Fingerprint: 63.205.162.114 unknown Windows 2000 SP4, XP SP1 Received: from [63.205.162.114] ([63.205.162.114:59060] helo=us-ex1.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EA/DD-03101-702D1564 for ; Mon, 21 May 2007 13:08:25 -0400 Received: from [127.0.0.1] ([192.168.16.109]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 21 May 2007 10:08:21 -0700 Message-ID: <4651D1FD.1080709@zend.com> Date: Mon, 21 May 2007 10:08:13 -0700 Organization: Zend Technologies User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Stefan Esser CC: Alexey Zakhlestin , PHP internals References: <465022BE.1020905@hardened-php.net> <7d5a202f0705201415s71982fd2jb61b8bffbb7ba6de@mail.gmail.com> <46513546.5000303@zend.com> <7d5a202f0705202303s2ff4d0cdg1157c1e245c3c2e4@mail.gmail.com> <46513745.7030701@zend.com> <000001c79b71$543e0970$fcba1c50$@com> <46513E93.5000902@hardened-php.net> <465140BE.8050502@zend.com> <4651454B.4080000@hardened-php.net> <465149FE.4070100@zend.com> <46515417.3030904@hardened-php.net> In-Reply-To: <46515417.3030904@hardened-php.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 21 May 2007 17:08:21.0577 (UTC) FILETIME=[A2867B90:01C79BCA] Subject: Re: [PHP-DEV] Dismantling the lies... From: stas@zend.com (Stanislav Malyshev) > For example to get around non-executable HEAP situation you first need to > poke the right offsets in memory to "reenable" the dl() function (NOT > possible > with plain PHP code), find some writeable diskspace, dump a shared library > there and load it. From there you can execute whatever kernel exploit Why so much trouble - if you can do that, you certainly can do simple exec... > you want, > to get for example out of the chroot, to disable SELINUX... If you can do that from PHP, these functions essentially would be completely useless since then you can do it from any other program (like vulnerable ftpd or smtpd or named) and the whole reason for their existence is to protect exactly against that. > And here is the problem with the OS hardening argument of the PHP > developers. > OS hardening is useless if I can use exploits in PHP to simply > disable/get around > this hardening. OS hardening is useless if you can use anything in any user-level program to break it, correct. However, I don't think it's that easy to break OS as you make it sound to be, and in any case PHP is not really meant to be a fix for insecure OS. If you have an insecure OS, you are in a deep it anyway, so relying on PHP for help is just denying the reality. -- Stanislav Malyshev, Zend Products Engineer stas@zend.com http://www.zend.com/