Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:81995 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28514 invoked from network); 6 Feb 2015 01:26:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Feb 2015 01:26:27 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.180 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.180 mail-qc0-f180.google.com Received: from [209.85.216.180] ([209.85.216.180:59044] helo=mail-qc0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 67/99-17766-24814D45 for ; Thu, 05 Feb 2015 20:26:27 -0500 Received: by mail-qc0-f180.google.com with SMTP id r5so9496946qcx.11 for ; Thu, 05 Feb 2015 17:26:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=z6BWXogZJcn4lUq23L3Ol6hF6pjXJFs2Qf3seOmCdgY=; b=W0HIIOXIAO8imcERVykB7opysBajJADo2UlvOoTn2AHQ+IOc2+kiw8XgsPjlIEBONh fzeRf4VpOLFid9Kr72TFc3Sk4PfK2lZzHZJcVFD7TyIv9ip2Yyv6kvjyE4q+718Sgs0w XYjrgKN4m6OCXxdjstxUxkBqAz5utEBXPTzsokjPox3T67id/iMRjN7LcK6RykTVXRcq dSwqebGxcHIfsRsXhh2J9DVWEmHHg32y2t+kHKUFYGUhrCI61z4hTtMPyPnA1AKJk/oU lYkwlselrWZRjlQ2XOrRyKodxeeXem/zSWLwyHA6iycNQPcc3feJy6flh8ZhwSzMqZ85 E9Fw== X-Received: by 10.140.90.112 with SMTP id w103mr2432993qgd.65.1423185983753; Thu, 05 Feb 2015 17:26:23 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.28.72 with HTTP; Thu, 5 Feb 2015 17:25:43 -0800 (PST) In-Reply-To: References: Date: Fri, 6 Feb 2015 10:25:43 +0900 X-Google-Sender-Auth: EOEerX_205myYG7215NPfc__9Hs Message-ID: To: Pierre Joye Cc: Leigh , Adam Harvey , reeze , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c11a9802d5f1050e614f8f Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once() From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c11a9802d5f1050e614f8f Content-Type: text/plain; charset=UTF-8 Hi Pierre, On Thu, Feb 5, 2015 at 8:49 PM, Pierre Joye wrote: > PHP is just as safe than the other languages. PHP applicatons maybe > less, maybe more. I tend to see the amount of attacks as a proof of > success of a tool instead of a proof of the tool being unsafe (not > worth attacking 0.01% of the market when you can attack 75%). > > > Your proposal requires admins to do the job. It's better to have > developer > > option. > > > > Do any of you have other preferred option for developers? > > We do have one, it is called open_basedir, which I wanted to remove as > well but we agreed that it has its usefulness. One of them being > exactly to avoid the inclusion (and display) of critical information. > It indeed does not prevent one to include and display some text data > containing passwords or the likes when they are in the open_basedir > list but still. > > And again, if one app allows unvalidated include/require (as in your > example), it will most likely do fopen and co as well and get data > displayed one way or another. Using yet another construct will again > give a false sense of security, solving a real problem using a bandaid > tape. > I agree that user must be careful for any file function. This is not limited to include/require. PHP is unique compare to other languages. PHP allows "script include statements" to open files as "script embedded file". The result is completely different. - PHP file exposure and script execution - Others syntax error mostly PHP == Fatal security issue, Others == Bug. AFAIK, Ruby/Perl allows script execution with simple file validation. e.g. Inject code after GIF file signature. However, Ruby/Perl apps were not reported as vulnerable to script inclusion because usual image check, e.g. check image size, can prevent attack image to be stored. Any other files are failed as syntax errors. In contrast, PHP allows to embed script anywhere in a file. Image size check does not help at all. Converting size does not help also. (e.g. Attacker may embed script in color table. Changing size/recreating image cannot prevent attacks) If data is written into files, it can be used to execute. *Session data* file can be used to attack, too. These are the reason why file inclusion attacks against PHP applications are so popular/common. Any PHP applications do file upload (image/etc) or data file writes (wiki/session data) have much higher script inclusion risk compare to others. Other languages have fopen/readfile also. In this case, the result is the same. PHP is as safe as other languages in this area. PHP has became as secure as other languages _except_ script inclusion which allows attackers take over servers. This is what I would like to change. We have been removed embedded script from regex, i.e preg_relace/mb_ereg_replace, because it is dangerous. Why don't we remove embedded script from include/require. include/require is used to execute attack script more often than regex. PHP7 seems perfect opportunity to me. Feasible options are - Introduce script only inclusion statement. script()/script_once() - Change require()/require_once() behavior not to embed script. Let's have no more script/file inclusion attacks! Regards, P.S. Changing the result of bugs like this is defined as a security measure by ISO 27000. -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c11a9802d5f1050e614f8f--