Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59583 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37018 invoked from network); 9 Apr 2012 23:55:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Apr 2012 23:55:02 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:50930] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 74/36-34074-5D6738F4 for ; Mon, 09 Apr 2012 19:55:02 -0400 Received: by yhfq11 with SMTP id q11so2425887yhf.29 for ; Mon, 09 Apr 2012 16:54:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=iVLOpyucSiVFZhaoGRfWkGB0aVwvMILyu1/BoJKq0XE=; b=vyo5Dk6qCy4K7CwmnfduyysZeuGrpXZ6M2t3QqQncSdXc/Lt4NQt3jkoHJ0NOYJjTC Iz30XWafoyLUrMMke7O0QYcA9Hwie4lKa+trsAPMt3Z17DCGRqfk2+bP1SdwPnWDFTUV biUFpe+yybVhPub88ADYSVry63+0GM4vG8B2dNaBtMXj0Hg1Aqb85Y5mVZ4IwZWxXe0y nnp8lyqSnH1064BkItd72Rn29l8zgpyJOOrWR5EL92RLsGjIwvJqFNSjlip9ZBC2JpJZ +OljUbsvvEVkiT+mGgS4YwwkhyDdSBqcLQcZo+k3w57w5071eCbSnzOQ0ODC6gtovbD3 v9YQ== Received: by 10.236.193.39 with SMTP id j27mr7736070yhn.111.1334015699137; Mon, 09 Apr 2012 16:54:59 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.146.86.14 with HTTP; Mon, 9 Apr 2012 16:54:19 -0700 (PDT) In-Reply-To: References: <-5877502932356715576@unknownmsgid> <-3647345967307864634@unknownmsgid> <4F831FAE.2030208@ralphschindler.com> <4775322189440202047@unknownmsgid> <4F833682.2000301@ralphschindler.com> <4F833AB0.2060306@sugarcrm.com> <4F8348AB.1040305@sugarcrm.com> Date: Tue, 10 Apr 2012 08:54:19 +0900 X-Google-Sender-Auth: gBmj-Ozi5Atjvu897C3q3Xvmd-A Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] RFC: source files without opening tag From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, I forgot to answer a question. 2012/4/10 Yasuo Ohgaki : > Hi, > > 2012/4/10 Stas Malyshev : >> Hi! >> >>> 1. Find FLI vulnerable application. >>> 2. Find a way to inject $_SESSION >>> 3. Use session file to execute arbitrary PHP code. >> >> So, you assume you have broken application with no security AND it >> allows you to inject arbitrary data in the session (which probably means >> broken authorization too) and then somehow it's PHP vulnerability? I'm No and Yes. Many applications start session without authentication. Attacker knew his session ID and guess path to session data. If program starts session only when authentication is done, then authentication is required. I think authentication is not required in general, since developers are educated to change session ID at authentication. Most of applications start session before authentication. BTW, there are more cases that LFI without upload files. For example, modern applications have caching data and cache may be used LFI. SQL injection may be used with LFI to take over server. >> sorry but this does not make too much sense to me. If you have an >> application that allows to execute arbitrary code on external request, >> this app has no security. How it is a vulnerability in PHP? Previous reply had broken English, but I think you got the point. LFI risk is unique to PHP. The cause of risk is mandatory embedded script. Just adding TAG less execution does not make sense much, but removing LFI risk does. IMHO. Regards, -- Yasuo Ohgaki