Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72495 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 82758 invoked from network); 12 Feb 2014 06:18:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Feb 2014 06:18:23 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com Received: from [209.85.215.42] ([209.85.215.42:43771] helo=mail-la0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AE/51-07280-D221BF25 for ; Wed, 12 Feb 2014 01:18:22 -0500 Received: by mail-la0-f42.google.com with SMTP id hr13so6826678lab.29 for ; Tue, 11 Feb 2014 22:18:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=KezQcVZ+vM769LwUT1ZrmORGa/abM03Tf4fAkSgv9Aw=; b=CW0R/myWYX5n9WMzVblzqyZ8z0p4+rdS4QEcImwF4Pk3zaEpXQdc/2gDBiG6O2SU/V hJDCAZl0j2vzrRSeELJ08yGDrn0syomeoo4We+ZOQQ+btle+DAzGbnjEPnYZbzFqzh5f qYmS89r7jy9DcxYv1ypplX6Ojy4Rrh8+hRw0ZAtoPFRToGEGqHZamJEhYfaA8/rB7MQx Fu5oWxUFI+Irn7Rq1EA3Z/15SLp+trWR0y0blfkGFlFbH7PuBQx7p4yEPtFP0h2N63cU LaVaqSbSrOTe7ONYNXBvXmPT9jzLDF3cGqw5KTfQEHWRF1cWkfeB4sinLzV6upigYMRZ N+eA== X-Received: by 10.112.164.35 with SMTP id yn3mr442182lbb.45.1392185898486; Tue, 11 Feb 2014 22:18:18 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Tue, 11 Feb 2014 22:17:38 -0800 (PST) In-Reply-To: <52FB0D15.9040303@lsces.co.uk> References: <52FA67A4.3030708@lerdorf.com> <52FAB58E.3080701@lsces.co.uk> <52FB0920.8040903@lsces.co.uk> <52FB0D15.9040303@lsces.co.uk> Date: Wed, 12 Feb 2014 15:17:38 +0900 X-Google-Sender-Auth: Zg-kZPudljQXiu58aU_nPoknfRw Message-ID: To: Lester Caine Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c33530f0cf1304f22f898d Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c33530f0cf1304f22f898d Content-Type: text/plain; charset=UTF-8 Hi Lester, On Wed, Feb 12, 2014 at 2:56 PM, Lester Caine wrote: > Lester Caine wrote: > >> can you really protect them anyway? >> > Yasuo > Have you actually looked at the 'Some recent LFI issues' that are listed? > I don't thing any one of them would have been protected from by this > change? Providing a php page that can DISPLAY or run any file that it can > read is not going to be protected from by switching embedding off? 1st one is file upload vulnerability. I'll replace it something else. 2nd one is http://seclists.org/bugtraq/2012/Apr/53 $filepath = "$path_to_citrus/$load.php"; if (file_exists($filepath)) { include('./'.$load.'.php'); I'm not sure what they are loading. script() prevents from reading /etc/passwd or any other files. 3rd one is https://localhost/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00 It could also be protected by script(). 4th one is http://TARGET/onefilecms/onefilecms.php?f=../../../../etc/passwd The same as 3rd one. It works well for LFI. Important thing is include()/require() needs extra care to make sure it's secure. I would suggest to validate all inputs, but user may have invalid validation. Single mistake could be serious disaster. It's better if there is script() for sure. (Defense in depth) Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c33530f0cf1304f22f898d--