Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72533
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 81350 invoked from network); 12 Feb 2014 22:43:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Feb 2014 22:43:10 -0000
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.170 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.170 mail-we0-f170.google.com  
Received: from [74.125.82.170] ([74.125.82.170:42663] helo=mail-we0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9F/3B-19387-CF8FBF25 for <internals@lists.php.net>; Wed, 12 Feb 2014 17:43:09 -0500
Received: by mail-we0-f170.google.com with SMTP id w62so6725722wes.29
        for <internals@lists.php.net>; Wed, 12 Feb 2014 14:43:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type;
        bh=E76SMLqsQmGX2OaJJfPji7D3KiR3V+oPPQfB4GjCIk8=;
        b=XZLS1YxeJVi+2lv2LxRUst52sPycySG9FQjjMZz1brsivxkVQyZkMbxe2kUjk6qrO5
         KXXoQWo5LukCYrpZ5m1ZDc2E8zgABvw0TT5EWb+YjlDxb5IR1n+0pQ/rYgiztbk84XxN
         jaQUJ0k8XkqLA83jKo/lO8Y/NWqDQNEZy3kS36Qt66RIBcXR5+xFrGQElip75P9O9raZ
         ZOZP1SxCcfm82xgBgN3fCYZPFjD1Lc6TpNaWdHRsb9jZpfUrMPoafRlnSf2VwouNDz/p
         hvv8tU9B2OM6gUjZuyQdNPctm62aoIzKNpZ8ghxL3d3go+uZ1a3cijsWBrCkkqFr+L61
         9gLw==
X-Received: by 10.194.6.164 with SMTP id c4mr3317709wja.38.1392244986180;
        Wed, 12 Feb 2014 14:43:06 -0800 (PST)
Received: from [192.168.0.152] ([62.189.198.114])
        by mx.google.com with ESMTPSA id ff7sm9158532wic.10.2014.02.12.14.43.04
        for <internals@lists.php.net>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 12 Feb 2014 14:43:05 -0800 (PST)
Message-ID: <52FBF8F8.5040107@gmail.com>
Date: Wed, 12 Feb 2014 22:43:04 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAGa2bXYU0+eVgnDCkqpG6AWvLCX9gV3+5nzoeD-RJge8Rtw-dQ@mail.gmail.com> <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com>
In-Reply-To: <CAGa2bXZCBxJczqX6FKz0T0_iV9LzdeHkw46c17NQsanuCCJ9rA@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------000505070606060504010407"
Subject: Re: [PHP-DEV] Re: [RFC] No PHP tags
From: rowan.collins@gmail.com (Rowan Collins)

--------------000505070606060504010407
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Yasuo Ohgaki wrote (on 11/02/2014):
> Local script inclusion is*much grater security threat*  than local script
> expose.

I've been trying to follow the pros and cons of this RFC, and I'm really 
scratching my head on what the security benefit is supposed to be.

As I understand it, for this to even be relevant security-wise, it would 
need to involve a dynamic file path being included, and an attacker 
somehow influencing either which file was loaded, or the contents of 
that file.

The scenarios I can see are:

1) the include was intended to be PHP code, and the attacker substitutes 
different PHP code of their choice
2) the include was intended to be PHP code, and the attacker accesses 
non-PHP data already on server
3) the include was intended to be non-PHP data, and the attacker 
substitutes PHP code of their choice
4) the include was intended to be non-PHP data, and the attacker 
accesses different non-PHP data already on server

This sentence in the RFC Summary sounds like it's talking about 3:

 > However, embedded scripts are serious security risk as it can 
executes any PHP code in any files.

But if somebody is using include() for non-PHP data, they're using the 
wrong function anyway, end of story.

Barring bugs in the engine (e.g. null byte handling) 1 and 4 are 
something that no language can guard against: substituting code for 
code, or data for data (if include() couldn't do it, file_get_contents() 
could). There's a lot of talk in the RFC about validating file 
*contents*, but it seems to me that careful whitelisting of file 
location and naming is generally more relevant (e.g. "/etc/passwd" 
doesn't end in ".php", so it's kind of obvious you shouldn't be passing 
it to an include statement).

2 seems to be more relevant to me: without the "always echo if no <?php 
found" rule, it's easier to trick include() into acting like readfile(). 
The failure to load the expected PHP code would probably cause a Fatal 
Error anyway, but the contents might be exposed first.

But that doesn't seem to be the exploit that is being discussed on this 
RFC. Or am I misunderstanding completely?

Could somebody enlighten me with an artificially simplified example of a 
code execution attack that is possible today but would be prevented (or 
preventable) with the proposed change?

Thanks,
-- 
Rowan Collins
[IMSoP]

--------------000505070606060504010407--