Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72503 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97441 invoked from network); 12 Feb 2014 08:05:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Feb 2014 08:05:15 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.176 mail-lb0-f176.google.com Received: from [209.85.217.176] ([209.85.217.176:60009] helo=mail-lb0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D9/34-07280-93B2BF25 for ; Wed, 12 Feb 2014 03:05:14 -0500 Received: by mail-lb0-f176.google.com with SMTP id w7so6673612lbi.7 for ; Wed, 12 Feb 2014 00:05:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=0nW3COWyQL7FG71MALuCsMoPIGQU7QhmlephJB9z3sw=; b=qfIVJnGrizQVV6ySf4irSI29CrGyX78oGthlFWY9jFJ0TmiVWqX4Lf8kjxTsGFHmWs TRlf/SZz+oVH4FPk/mZH3d6m/5xVCPWnahsd7n4+HW/RDQegiWbMdHiTj11NeFdsgdD0 lf3aexo0KzYAE6FSCdf8irpViSKHxD/i9uUcBxR67G1SZJPIhPOb7NvGfv3h8PZyAGUF HsyFDOrY4D4uwNcc6oAXDdYbCdH8SQ1vSoz6IALixSMhntVz3jeSomJe0nB17p/AmT5i HB6JHsSjOHvxpShKsxDpatyq66/HQ2+hiNqkdpfHAcLgrYr+ECn1umK4+Rpf4fL+8mXM Nx0A== X-Received: by 10.152.5.136 with SMTP id s8mr694428las.55.1392192309707; Wed, 12 Feb 2014 00:05:09 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Wed, 12 Feb 2014 00:04:29 -0800 (PST) In-Reply-To: <52FB1F9C.9090609@lsces.co.uk> References: <52FA67A4.3030708@lerdorf.com> <52FAB58E.3080701@lsces.co.uk> <52FB0920.8040903@lsces.co.uk> <52FB0D15.9040303@lsces.co.uk> <52FB1F9C.9090609@lsces.co.uk> Date: Wed, 12 Feb 2014 17:04:29 +0900 X-Google-Sender-Auth: RMnE5W6TX9MHuy0sKjUC1hVmZ78 Message-ID: To: Lester Caine Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7b8743a41448fe04f231080a Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags From: yohgaki@ohgaki.net (Yasuo Ohgaki) --047d7b8743a41448fe04f231080a Content-Type: text/plain; charset=UTF-8 Hi Lester, On Wed, Feb 12, 2014 at 4:15 PM, Lester Caine wrote: > Yasuo Ohgaki wrote: > >> Have you actually looked at the 'Some recent LFI issues' that are >> listed? I >> don't thing any one of them would have been protected from by this >> change? >> Providing a php page that can DISPLAY or run any file that it can >> read is >> not going to be protected from by switching embedding off? >> >> 1st one is file upload vulnerability. I'll replace it something else. >> 2nd one is >> >> http://seclists.org/bugtraq/2012/Apr/53 >> $filepath = "$path_to_citrus/$load.php"; >> if (file_exists($filepath)) { >> include('./'.$load.'.php'); >> >> I'm not sure what they are loading. script() prevents from reading >> /etc/passwd >> or any other files. >> > > Since it is loading a .php file there has to be a valid .php file to load? > This is simply another file upload vulnerability? > Oops, I didn't care much about details of LFI reported. You can find many valid examples here or any other similar sites. Unknown LFI would be countless. http://packetstormsecurity.com/search/?q=LFI 3 and 4 as far as I can see expected the files being loaded to contain > embedded php, and so the environment needed to be secured better and the > application rewritten. I accept simply disabling php would have blocked the > hole, but it also would stop the whole application working? Certainly > onefilecms has been completely reworked and is no longer vulnerable ... as > far as I can see ... I've not looked at the other app now. > As an one of security auditor, I would recommend rewrite. They must have strong input validation in first place. The reason why these are reported as security vulnerability is nature of include()/require(). Vulnerability reporters even reports invalid attack vectors for current PHP that requires null bytes to attack. Original author of this RFC was tried to resolve this issue by switching mode. Although, I like the original idea, current RFC is trying to resolve this issue by script(). > I still don't see how - short of switching off embedding permanently - you > will stop critics with ulterior motives from calling PHP insecure? Other > than that one element, php is as at risk as the other languages. Once > embedding is switched off either by calling the file using 'script()' ( > which I view would transparently switch embedding off so not need any ini > switch! ) or by the physical ini switch, then yes PHP is any other > language, so if they are so worried about it ... use something else? > Original RFC was aimed to change require()/include() behavior and protect applications without rewriting most of code, as few as 3 lines. I changed the RFC not to change require()/include() behavior. The switch exists for consistency between directly loaded and indirectly loaded scripts. Consistency matters for languages, especially for new features. IMHO. I could almost be convinced about the 'script()' option, but I would then > insist the loaded file HAD flag an error. It was loosing that 'security blanket' in the other rfc that > grated ... but I don't see the point of the ini switch unless at some point > you want to disable embedding permanently :( It could be made raise error. It's valid option. Top "