Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59547
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82702 invoked from network); 9 Apr 2012 20:38:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Apr 2012 20:38:09 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.173 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 67.192.241.173 smtp173.dfw.emailsrvr.com Linux 2.6
Received: from [67.192.241.173] ([67.192.241.173:51460] helo=smtp173.dfw.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3B/9A-34074-0B8438F4 for <internals@lists.php.net>; Mon, 09 Apr 2012 16:38:08 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp7.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 47396258424;
	Mon,  9 Apr 2012 16:38:05 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp7.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id D97072582DE;
	Mon,  9 Apr 2012 16:38:04 -0400 (EDT)
Message-ID: <4F8348AB.1040305@sugarcrm.com>
Date: Mon, 09 Apr 2012 13:38:03 -0700
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120313 Thunderbird/11.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <CAORXhGJwmbjw3Zze3+-oFA2Mb_Z-2owVESraNMMs57RzjRRMbA@mail.gmail.com> <-5877502932356715576@unknownmsgid> <CAORXhGLPdAie6UFq+daJhUmDUqp7RaFFLa596XdzdtuCddf0Jw@mail.gmail.com> <-3647345967307864634@unknownmsgid> <CAORXhGKjg_L11dFGNHNfNygDH018=ZhytAy1vH+Ei8QHfry=cA@mail.gmail.com> <CAORXhG+K3XML-47+FDYdL5D717wDX7c59Pz8KgqjcP16+Ad12w@mail.gmail.com> <4F831FAE.2030208@ralphschindler.com> <4775322189440202047@unknownmsgid> <CAORXhGJSG6CJD5EAt_uZ7RjfjM345nfrVQz8t2ep4e3WhCeKMQ@mail.gmail.com> <4F833682.2000301@ralphschindler.com> <CAGa2bXYjJsfo6os_P1OvQ7jfmxeYUkZ+QK5r94nwNUsba-iWLA@mail.gmail.com> <4F833AB0.2060306@sugarcrm.com> <CAGa2bXZQN9brCwHOOkDU+x3hf5dZgqqmv1ZSTJ3VMjSpdda6tA@mail.gmail.com>
In-Reply-To: <CAGa2bXZQN9brCwHOOkDU+x3hf5dZgqqmv1ZSTJ3VMjSpdda6tA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] RFC: source files without opening tag
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> 1. Find FLI vulnerable application.
> 2. Find a way to inject $_SESSION
> 3. Use session file to execute arbitrary PHP code.

So, you assume you have broken application with no security AND it
allows you to inject arbitrary data in the session (which probably means
broken authorization too) and then somehow it's PHP vulnerability? I'm
sorry but this does not make too much sense to me. If you have an
application that allows to execute arbitrary code on external request,
this app has no security. How it is a vulnerability in PHP?
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227