Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59470 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98549 invoked from network); 8 Apr 2012 20:59:27 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Apr 2012 20:59:27 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.170 mail-gy0-f170.google.com Received: from [209.85.160.170] ([209.85.160.170:64390] helo=mail-gy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 75/56-56433-E2CF18F4 for ; Sun, 08 Apr 2012 16:59:26 -0400 Received: by ghbg2 with SMTP id g2so1911798ghb.29 for ; Sun, 08 Apr 2012 13:59:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=gZSdsBV1Y7zwj4iHzs+iXgRNSOZwVcZ1FNVQzMIRcAE=; b=ETin1KLERTM5sTHW2uaIlvJwHlDhLH9oEgXiA1i57ajP0k+AXqoVzNZm4v0ag6hsFi ft6HZJvrC4qFSOz9GCVgcH/i2heM+u6UX61shsobkAhUriB2ywsyaCZ6In1Hu937BH1U xRX9WLS9cr3WbnBNHfU1ydqxqpbsfmMuOQDeoAKjES9MTjB41rI97e75us4y9QsWufJk 8vEGb4eTV8b3PZxzKlK7V6cxHs1qc1fnK7BBv2OPLs70qMaEvrYMSbWH2w616d/0CU3s aSUozGsTB4JecmzcFeobrRq3x5IYGWn76hJHEOg3CPuhg5QL8vD99gS6VA3SRMsi2kay 6Keg== Received: by 10.101.7.27 with SMTP id k27mr1297605ani.18.1333918763394; Sun, 08 Apr 2012 13:59:23 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.146.86.14 with HTTP; Sun, 8 Apr 2012 13:58:42 -0700 (PDT) In-Reply-To: <4F817DE1.3020608@gmail.com> References: <4F80C739.2060404@gmail.com> <4F817DE1.3020608@gmail.com> Date: Mon, 9 Apr 2012 05:58:42 +0900 X-Google-Sender-Auth: dsV8NQ6GYHc-MvS8Xex__tWvsTo Message-ID: To: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= Cc: PHP Developers Mailing List Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] PHP class files without : > 2012/4/8, Yasuo Ohgaki: >> 2012/4/8 =C1ngel Gonz=E1lez : >>> How does it help security? >>> If any, requiring '>> out malicious files on apps with uploads in case there's a local >>> inclusion vulnerability somewhere. >>> >> Attackers may inject PHP script almost anything/anywhere since >> PHP code may be embed anywhere in a file. >> >> For example, malicious PHP script may be in GIF something like >> >> gif89a ...any data.. >> >> and all attacker have to do is include/require the data somehow. >> Attacker cannot do that this for other languages, since they are >> not a embedded language. I know case that attackers may inject >> malicious perl/ruby script in data files, but PHP is too easy >> compare to these languages. >> >> Regards, >> >> -- >> Yasuo Ohgaki > Yes, but if I properly check that there's no ' (as you should verify everything you allow users to upload), it can't be > exploited. > OTOH if the vulnerable include is not an include but an include_code, > they could > use a file which was Checking "" into uploaded images to prevent hosting malware images. Attacker may inject PHP script into anywhere/any file. Disabling embed mode is simple and effective countermeasure. >> exec("rm -rf"); // Example of what not to do > And was happily uploaded as "plain text". There are 2 types of attacks, one is directly uploading PHP script. Another is include PHP script. Uploading as plain text does not help. Regards, -- Yasuo Ohgaki