Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59580 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 32580 invoked from network); 9 Apr 2012 23:36:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Apr 2012 23:36:15 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:40650] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D6/45-34074-E62738F4 for ; Mon, 09 Apr 2012 19:36:15 -0400 Received: by yhfq11 with SMTP id q11so2422118yhf.29 for ; Mon, 09 Apr 2012 16:36:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=2i8zHiXjgSW8047rNc4YdXaQ99ccVDgbdvyd29bUgEY=; b=E41aQik1SePaaKEVkyQbHrIMcxcMEBeJUzHrBiHWQFGwldZnOFGW3LF9vnJa/TDWHa J3iBLmDW2iQ2/wZqJ/VIx5I/Tk+5Jh5SSyE7SRR9mAmFeTSt+OEQPBZSNfKnqQWccYUy ebNSBkoBliMYaJVS2RCym/c+VR8wqghZIn7CmSy0ttvpSEUQH2UGuIWXrkot7nX9BjOZ j88kR3aOOe3hQqvd4J8Ca5YqZ0vzX2SFJvQdZq8TAF+2IPHSIatSNMTlD13Kzz3Z1b0w joDbdXtN+bxtbfM4OATX71qAthodOXFNz2DX4pH+2yefnXnrpgY8bwk8ful+E0pwNvCf mWjw== Received: by 10.236.72.133 with SMTP id t5mr7502636yhd.94.1334014572628; Mon, 09 Apr 2012 16:36:12 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.146.86.14 with HTTP; Mon, 9 Apr 2012 16:35:32 -0700 (PDT) In-Reply-To: <4F8348AB.1040305@sugarcrm.com> References: <-5877502932356715576@unknownmsgid> <-3647345967307864634@unknownmsgid> <4F831FAE.2030208@ralphschindler.com> <4775322189440202047@unknownmsgid> <4F833682.2000301@ralphschindler.com> <4F833AB0.2060306@sugarcrm.com> <4F8348AB.1040305@sugarcrm.com> Date: Tue, 10 Apr 2012 08:35:32 +0900 X-Google-Sender-Auth: ImGnMVEfrHxKBE5TgVdiC3hTDTk Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] RFC: source files without opening tag From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, 2012/4/10 Stas Malyshev : > Hi! > >> 1. Find FLI vulnerable application. >> 2. Find a way to inject $_SESSION >> 3. Use session file to execute arbitrary PHP code. > > So, you assume you have broken application with no security AND it > allows you to inject arbitrary data in the session (which probably means > broken authorization too) and then somehow it's PHP vulnerability? I'm > sorry but this does not make too much sense to me. If you have an > application that allows to execute arbitrary code on external request, > this app has no security. How it is a vulnerability in PHP? It's a design vulnerability. It is not has to be attack-able security hole without broken code. There are many security issues and countermeasure like this. e.g. register globals in PHP, stack smashing attack in C, etc. Some people are trying to introduce TAG less execution. Wise choice for TAG less execution would be removing famous LFI vulnerability from PHP. Regards, P.S. BTW, LFI is not only good for execution, but also information disclosure. Just is case, people on this thread didn't realize it. -- Yasuo Ohgaki yohgaki@ohgaki.net