Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59478 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11759 invoked from network); 8 Apr 2012 22:11:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Apr 2012 22:11:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=tom@punkave.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tom@punkave.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain punkave.com designates 209.85.160.170 as permitted sender) X-PHP-List-Original-Sender: tom@punkave.com X-Host-Fingerprint: 209.85.160.170 mail-gy0-f170.google.com Received: from [209.85.160.170] ([209.85.160.170:39531] helo=mail-gy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4C/D8-56433-C0D028F4 for ; Sun, 08 Apr 2012 18:11:25 -0400 Received: by ghbg2 with SMTP id g2so1919591ghb.29 for ; Sun, 08 Apr 2012 15:11:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding:x-gm-message-state; bh=lsX/u6EXzoIZo4I/7BUd6TykQvH2OOZKSxHkShTAM5c=; b=MzdNk9kjFcJJ/oghpiuJebZ1dVPMzHFGdXGfvqHFiBRQ/+72MA1WFhvurLjfcWzVhs WC/GwtkyCsQnfKGgtRxNxO9JM5o9EHYXwif3AWwGBA4rdaJjGbf6o+MhAFKj8+VSKWSX dN+go0ZHIIXvzcqWMm+EG8bppcCMg83NsJFhnlVSiig8vbYVG8lsxXjyDlQNlJZN4odq OttWX3mQFPXotsMEgyvbxkqfR0mG0DN6kTbCqDHnncv+63WaA4QwlQp5urd0Z+qwipZN j+psLdshIy6ftH2YKERzQXTGoOVlCXBbzx/mgWqAVuOMQq0v/eQ++iGP8CFNN/nrT9fX GHkA== MIME-Version: 1.0 Received: by 10.236.184.202 with SMTP id s50mr4175352yhm.84.1333923081687; Sun, 08 Apr 2012 15:11:21 -0700 (PDT) Received: by 10.100.35.16 with HTTP; Sun, 8 Apr 2012 15:11:21 -0700 (PDT) In-Reply-To: References: <4F80C739.2060404@gmail.com> Date: Sun, 8 Apr 2012 18:11:21 -0400 Message-ID: To: PHP Internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQn7ALPQKC2bD4xZjSqfmnBwydTeW56MOZjDY24E+2OdLjg27FNWlcH7ogw3XcR9FAaVVy6p Subject: Re: [PHP-DEV] PHP class files without wrote: > Hi, > > 2012/4/9 Arvids Godjuks : >> 8 =D0=B0=D0=BF=D1=80=D0=B5=D0=BB=D1=8F 2012 =D0=B3. 8:16 =D0=BF=D0=BE=D0= =BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D1=8C Yasuo Ohgaki =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB: >> >>> 2012/4/8 =C3=81ngel Gonz=C3=A1lez : >>> > On 07/04/12 22:48, Yasuo Ohgaki wrote: >>> >> Hi, >>> >> >>> >> The only valid reason for removing >> >> security. >>> >> >>> >> Since the null byte detection for fopen, remote/local script inclusi= on >>> >> became much harder than before. However, it's still possible and ver= y >>> >> easy compare to other languages. Script execution is critical securi= ty >>> >> problem and it's worth to make it better. >>> >> >>> >> If there is a switch that turns off PHP's template engine nature, PH= P >>> >> could be more secure than now. >>> >> >>> >> php.ini >>> >> template_mode =3D on =C2=A0 ; INI_ALL On by default >>> >> >>> >> php -t foo.php =C2=A0 # template mode by default >>> >> php -T foo.php =C2=A0# template mode off >>> >> >>> >> People has option to make their code a little secure than now >>> >> or stick with current behavior. >>> >> >>> >> Regards, >>> > How does it help security? >>> > If any, requiring '>> > out malicious files on apps with uploads in case there's a local >>> > inclusion vulnerability somewhere. >>> > >>> >>> Attackers may inject PHP script almost anything/anywhere since >>> PHP code may be embed anywhere in a file. >>> >>> For example, malicious PHP script may be in GIF something like >>> >>> gif89a ...any data.. >>> >>> and all attacker have to do is include/require the data somehow. >>> Attacker cannot do that this for other languages, since they are >>> not a embedded language. I know case that attackers may inject >>> malicious perl/ruby script in data files, but PHP is too easy >>> compare to these languages. >>> >>> Regards, >>> >>> -- >>> Yasuo Ohgaki >>> >>> -- >>> PHP Internals - PHP Runtime Development Mailing List >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> Improperly configured WEB server is not the reason to change the most ba= sic >> part of the language that will break every damn application out there. > > This is not an configuration issue, but a security vulnerability that > can simply closed by disabling embed mode. > > As I mentioned already, injecting malformed PHP scripts into files > is too easy compare to other languages. This could be improved > by simple modification and we can maintain compatibility with it. > > I don't see anything wrong here. > > Yet another PHP script injection example. > There are many applications that store user inputs in $_SESSION. > Attacker can inject PHP script into $_SESSION, then locally include > it. This is easy since attacker knew their session ID and path to > session file is can be guessed easily. All attacker has to do is > finding a vulnerable include()/require() to attack. > > Regards, > > -- > Yasuo Ohgaki > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > --=20 Tom Boutell P'unk Avenue 215 755 1330 punkave.com window.punkave.com