Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59716
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82158 invoked from network); 11 Apr 2012 05:47:50 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Apr 2012 05:47:50 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:42448] helo=mail-gx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BF/43-18401-50B158F4 for <internals@lists.php.net>; Wed, 11 Apr 2012 01:47:49 -0400
Received: by ggmb2 with SMTP id b2so329239ggm.29
        for <internals@lists.php.net>; Tue, 10 Apr 2012 22:47:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=gmgsfpWtDgKG7CDMs2Rg+lWWBi44j4vlkG0ZveGneLQ=;
        b=Bfo8mleMuqWf8vr+5sC8snH3689O5DrSu6a6J1DcDrq5D+z3xDKrN+WqeHCGSlnOoj
         X3WjFd3ritJna2eQfw+bV8D1GChOcXZETVK54Nyw6KhNDO14ncDxhlRbzQTNcCij/IGn
         Qx+PNC6tPIhfYGIBHukMH/3tElieTGag4FeVpgk4XffmzqUVv4S22F1KuXTA0Qqem4be
         D5ADdrU0zRWU+uG7QJAsJ1qjV7YuiFw1atBqjWUC/QLeh/76nZOiHfitvH5WxELlFD6E
         nBeLrgfcz+nS1Q0J0WdFHql7rTUmbEjTibrbovzXsYdNYSw4SCyCYYur08bn+mscjw0Q
         8jGQ==
Received: by 10.236.161.3 with SMTP id v3mr11690321yhk.128.1334123266976; Tue,
 10 Apr 2012 22:47:46 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.146.86.14 with HTTP; Tue, 10 Apr 2012 22:47:06 -0700 (PDT)
In-Reply-To: <4F8515AF.8060706@sugarcrm.com>
References: <CAGa2bXZ6G=Cphjrde3u1Mq3AAw-4yJk3s28vNe+Aybt2nGTumg@mail.gmail.com>
 <CAGa2bXZh4uMeUH_BSCFmfNgxS-SZC0svA9BPcSROjwmbfrtFyQ@mail.gmail.com>
 <CAGa2bXbhi4zdgd9Udo6KsoycDwg_Ke0Xe5h3_-fVDMvn_VfAjQ@mail.gmail.com>
 <A633CF2D7C7BED41B41F1E64F25507B806A5CDD6C2@MAILR001.mail.lan>
 <CAGa2bXZKfQ+HqOucwOnBH7gV84hpdxZb5qNY3t3ThF_zMKSGHw@mail.gmail.com>
 <4F850D06.10701@sugarcrm.com> <CAGa2bXZWrRh8RdMtKK_2_U_XmByC-O6hGRPrJyW5KwvE0CAK-w@mail.gmail.com>
 <4F8515AF.8060706@sugarcrm.com>
Date: Wed, 11 Apr 2012 14:47:06 +0900
X-Google-Sender-Auth: xa2YQ2-RNc-BkufpGCN3K7nDu0E
Message-ID: <CAGa2bXZWudQeRm5h2eENGmgQDPfOqEmijB9-vPAvfKXLCfDiLw@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: John Crenshaw <johncrenshaw@priacta.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Re: Disabling PHP tags by php.ini and CLI options
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi,

2012/4/11 Stas Malyshev <smalyshev@sugarcrm.com>:
> Hi!
>
>> I'm sure you have seen the same code in JSON hijack countermeasure.
>>
>> while(1){}
>
> I think you misunderstood what I means. What I meant is you can inject
> code without <? the same way you can inject code with <?, so where's the
> improvement?

When template_mode=off, the only PHP tags that is allowed it
open tag at the beginning.  Other PHP tags result in syntax errors.
If I have file that has kill() in the middle of file and LFI is used,
it will result in syntax error.

Improvement is "We don't have to inject kill()" and "LFI with data
files result in syntax errors instead of disclosure"
(e.g. include('/etc/passwd'), include('.htaccess'))

Did I answer for you?

> kill() function would be just an example of code being injected by
> hostile third party (intent on killing your server, presumably). If I
> can inject it with <?, what prevents me from injecting without <? ?

If attacker can inject code at the beginning or make valid syntax
at the beginning, they can succeed injection. This is true not
only for PHP, but also Ruby/Perl/Python.

For example, a well known Ruby code injection for GIF image is

----
gif89a = 123;
(attack code here)
----

This is valid Ruby code and if attacker could find a way to load
the image, attack script can be executed.

As I stated in the RFC, template_mode=off is not a perfect solution.
Although it is not a perfect solution, but this is as effective as null
byte protection or allow_url_include.

I hope I answered your question.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net