Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59542 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 73370 invoked from network); 9 Apr 2012 20:15:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Apr 2012 20:15:45 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.213.170 mail-yx0-f170.google.com Received: from [209.85.213.170] ([209.85.213.170:35526] helo=mail-yx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FD/78-34074-F63438F4 for ; Mon, 09 Apr 2012 16:15:44 -0400 Received: by yenl5 with SMTP id l5so2339565yen.29 for ; Mon, 09 Apr 2012 13:15:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=CKdvyhG+n4ON3bzqa9PqLi0+AdGJuVNcSKTuzRSpAOQ=; b=04o3Dt3KMm/8X0HuEVzy6xwCFws3XumvxE8AQPY9iLgELSrQtuXnD1q8IBm5+FPdUq EL+g8pqamRzz6FX2Ah/mliFpnoRMfq/aP9021X/uaiUp8hgg1Bmcg7ni2htNVUauseMW dJLAvhOme3InNQhyuVRkSlbHIinODdkPYr/f7/GCR3k1j7KRm0FKRt9MCiE+NJpjU6nj nh9Jr3AvAvo63kIish/1GndaFb7PlsddQHE2ijNNtnMdw7x65xvWpugHQrEAL8CsA8eZ 9K2KB/lUjvmzcL52kXH0rqVRf57QmV1sy3iBFv5K/rkiJdSQgfheOcRTBgsc7Ey9Qyeg Qvxw== Received: by 10.100.200.4 with SMTP id x4mr2215295anf.6.1334002541237; Mon, 09 Apr 2012 13:15:41 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.146.86.14 with HTTP; Mon, 9 Apr 2012 13:15:00 -0700 (PDT) In-Reply-To: <4F833AB0.2060306@sugarcrm.com> References: <-5877502932356715576@unknownmsgid> <-3647345967307864634@unknownmsgid> <4F831FAE.2030208@ralphschindler.com> <4775322189440202047@unknownmsgid> <4F833682.2000301@ralphschindler.com> <4F833AB0.2060306@sugarcrm.com> Date: Tue, 10 Apr 2012 05:15:00 +0900 X-Google-Sender-Auth: WqKRCRHITxKmvwVDGO7sKYX_bGs Message-ID: To: Stas Malyshev Cc: Ralph Schindler , "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] RFC: source files without opening tag From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, 2012/4/10 Stas Malyshev : > Hi! > >> Tom's FRC is trying to introduce tag less PHP script. >> However, it does not fix well known PHP vulnerability. i.e. LFI/RFI >> IMHO, this change introduce more complexity and do not solve >> any problem. > > I'm not sure I follow - which PHP vulnerability you are talking about? Not many people read RFC, so I should have written example attack scenario. Because PHP is embedded scripting language, PHP code may be embedded anywhere/any files. One convenient place is session storage. i.e. file save handler. ==Exploiting LFI without file uploads== 1. Find FLI vulnerable application. 2. Find a way to inject $_SESSION 3. Use session file to execute arbitrary PHP code. Files save handler is the default, attacker knew his/her session ID and can guess session.save_path easily. Therefore, there are high possibility that attacker could take control of web server via LFI. == Possible protections == It's possible to prevent session FLI by adding "" to top of session data. It's not clean solution and has compatibility issue with other systems. (e.g. There are PERL/Ruby/Python scripts that decodes PHP session data) It's also possible that makes save_path unpredictable. It won't worth to do that. IMO. If developers/administrators could make PHP tag non mandatory, almost all LFI could be protected by simple file validation. i.e. Check the first line if it begins with "