Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59495 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 68072 invoked from network); 9 Apr 2012 10:48:27 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Apr 2012 10:48:27 -0000 Authentication-Results: pb1.pair.com smtp.mail=tom@punkave.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tom@punkave.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain punkave.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: tom@punkave.com X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:56915] helo=mail-qc0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C1/52-56433-A7EB28F4 for ; Mon, 09 Apr 2012 06:48:27 -0400 Received: by qcmt36 with SMTP id t36so2533172qcm.29 for ; Mon, 09 Apr 2012 03:48:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=taECzdb3/3YcQoNaK2MIqNHq9G7Yt12+XzHI4vHqyig=; b=jz+tq1Iz7hgGld+K8gTlPh4ZIzro0W1QI+0sepLfK5jXY6F8f/qF6Chbud0kEm1a6e 4Y9jNqXwJpng90yXJrFdXOGvGHskfBIk8n8t5FxuHClLA6pwBUDzbFmPbwwgWvn7nTsz TXFVGgesZPP2+53f+KVRQWwSTjKcZRTWj/mnVxRAWNpRFAmIOZSOHrzWnXwTZzFY5ruR bO/5V/aidJmFZchnCMObe/sYkVAznSFk0Hk/BaFeIKHo68tufujROYr02xquSQ4rTFX+ 0tmqwu19PFhIp3jxmJ1cAjikd7975wVXpiZSxBxqNzavT56//2DAzbVl/uPpN54r0jry ZpwQ== Received: by 10.229.135.208 with SMTP id o16mr2640120qct.120.1333968504466; Mon, 09 Apr 2012 03:48:24 -0700 (PDT) Received: from [192.168.100.101] (c-68-81-107-211.hsd1.pa.comcast.net. [68.81.107.211]) by mx.google.com with ESMTPS id cs10sm24455222qab.8.2012.04.09.03.48.23 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 09 Apr 2012 03:48:23 -0700 (PDT) References: <4F80C739.2060404@gmail.com> In-Reply-To: Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: 7bit Content-Type: multipart/alternative; boundary=Apple-Mail-A886BD96-3082-4819-B637-AFE41F18CE39 Message-ID: <1A4475FB-0ECC-460E-813F-209BA57A2DCE@punkave.com> Cc: Yasuo Ohgaki , PHP Internals X-Mailer: iPhone Mail (9B176) Date: Mon, 9 Apr 2012 06:48:22 -0400 To: Arvids Godjuks X-Gm-Message-State: ALoCoQkvxdSyyxNJk2pUYAIhW7rkhsBv4EpcIXbI4IorbYfQk4qhGPNkhXBW2U8ANK98renO5R1n Subject: Re: [PHP-DEV] PHP class files without wrote:= > And you get same issues that existed with magic quotes, register variables= , safe mode and other optional stuff that was required to run application wh= en set specificaly and it would break if something set differently. PHP just= got rid of it and you want to introduce a new optional feature that will ch= ange how PHP behaves. >=20 > 09.04.2012 9:03 =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5= =D0=BB=D1=8C "Yasuo Ohgaki" =D0=BD=D0=B0=D0=BF=D0=B8=D1= =81=D0=B0=D0=BB: > Hi, >=20 > 2012/4/9 Tom Boutell : > > Vulnerabilities in include/require should be fixed there, IMHO, not by > > limiting the feature set of the language. >=20 > I'm not insisting to remove embed feature, but give a option > for programmers/administrators for better security. >=20 > If one is comfortable with current behavior, they can keep > using embed feature by default. Others who care security > may disable embed feature by optional php.ini setting or CLI > option. >=20 > Half of Morihoshi's RFC was joke, but it's a serious proposal > for people who persist better security. IMHO. >=20 > Regards, >=20 > -- > Yasuo Ohgaki > yohgaki@ohgaki.net >=20 >=20 > > > > On Sun, Apr 8, 2012 at 5:34 PM, Yasuo Ohgaki wrote:= > >> Hi, > >> > >> 2012/4/9 Arvids Godjuks : > >>> 8 =D0=B0=D0=BF=D1=80=D0=B5=D0=BB=D1=8F 2012 =D0=B3. 8:16 =D0=BF=D0=BE=D0= =BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D1=8C Yasuo Ohgaki =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB: > >>> > >>>> 2012/4/8 =C3=81ngel Gonz=C3=A1lez : > >>>> > On 07/04/12 22:48, Yasuo Ohgaki wrote: > >>>> >> Hi, > >>>> >> > >>>> >> The only valid reason for removing >>>> >> security. > >>>> >> > >>>> >> Since the null byte detection for fopen, remote/local script inclu= sion > >>>> >> became much harder than before. However, it's still possible and v= ery > >>>> >> easy compare to other languages. Script execution is critical secu= rity > >>>> >> problem and it's worth to make it better. > >>>> >> > >>>> >> If there is a switch that turns off PHP's template engine nature, P= HP > >>>> >> could be more secure than now. > >>>> >> > >>>> >> php.ini > >>>> >> template_mode =3D on ; INI_ALL On by default > >>>> >> > >>>> >> php -t foo.php # template mode by default > >>>> >> php -T foo.php # template mode off > >>>> >> > >>>> >> People has option to make their code a little secure than now > >>>> >> or stick with current behavior. > >>>> >> > >>>> >> Regards, > >>>> > How does it help security? > >>>> > If any, requiring ' >>>> > out malicious files on apps with uploads in case there's a local > >>>> > inclusion vulnerability somewhere. > >>>> > > >>>> > >>>> Attackers may inject PHP script almost anything/anywhere since > >>>> PHP code may be embed anywhere in a file. > >>>> > >>>> For example, malicious PHP script may be in GIF something like > >>>> > >>>> gif89a ...any data.. > >>>> > >>>> and all attacker have to do is include/require the data somehow. > >>>> Attacker cannot do that this for other languages, since they are > >>>> not a embedded language. I know case that attackers may inject > >>>> malicious perl/ruby script in data files, but PHP is too easy > >>>> compare to these languages. > >>>> > >>>> Regards, > >>>> > >>>> -- > >>>> Yasuo Ohgaki > >>>> > >>>> -- > >>>> PHP Internals - PHP Runtime Development Mailing List > >>>> To unsubscribe, visit: http://www.php.net/unsub.php > >>>> > >>>> > >>> Improperly configured WEB server is not the reason to change the most b= asic > >>> part of the language that will break every damn application out there.= > >> > >> This is not an configuration issue, but a security vulnerability that > >> can simply closed by disabling embed mode. > >> > >> As I mentioned already, injecting malformed PHP scripts into files > >> is too easy compare to other languages. This could be improved > >> by simple modification and we can maintain compatibility with it. > >> > >> I don't see anything wrong here. > >> > >> Yet another PHP script injection example. > >> There are many applications that store user inputs in $_SESSION. > >> Attacker can inject PHP script into $_SESSION, then locally include > >> it. This is easy since attacker knew their session ID and path to > >> session file is can be guessed easily. All attacker has to do is > >> finding a vulnerable include()/require() to attack. > >> > >> Regards, > >> > >> -- > >> Yasuo Ohgaki > >> > >> -- > >> PHP Internals - PHP Runtime Development Mailing List > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > > > > > > > > -- > > Tom Boutell > > P'unk Avenue > > 215 755 1330 > > punkave.com > > window.punkave.com > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > >=20 > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20 --Apple-Mail-A886BD96-3082-4819-B637-AFE41F18CE39--