Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82406
Return-Path: <cmbecker69@gmx.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93017 invoked from network); 11 Feb 2015 01:45:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Feb 2015 01:45:44 -0000
Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.17.22 as permitted sender)
X-PHP-List-Original-Sender: cmbecker69@gmx.de
X-Host-Fingerprint: 212.227.17.22 mout.gmx.net  
Received: from [212.227.17.22] ([212.227.17.22:59845] helo=mout.gmx.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EA/70-24155-344BAD45 for <internals@lists.php.net>; Tue, 10 Feb 2015 20:45:41 -0500
Received: from [192.168.0.100] ([91.67.244.80]) by mail.gmx.com (mrgmx102)
 with ESMTPSA (Nemesis) id 0Lj4xG-1XkNiq0gWc-00dBwl; Wed, 11 Feb 2015 02:45:26
 +0100
Message-ID: <54DAB43C.7040107@gmx.de>
Date: Wed, 11 Feb 2015 02:45:32 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>, =?UTF-8?B?UGF2ZWwgS291xZlpbA==?=
 <pajousek@gmail.com>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXZsANJz_RvsBvC9yBhac+ukHYUngA=GjLOgcqTTPbpGhg@mail.gmail.com> <CAB6YZuxmMBQbVKYFcpH=2Yb0cOBoRSsZLritfV1-VkHrBm=Nbw@mail.gmail.com> <CAGa2bXbff7yQ_X5-9FVXNJzgOqVOpiO6h-OYFx=RMP5-f6X1QA@mail.gmail.com>
In-Reply-To: <CAGa2bXbff7yQ_X5-9FVXNJzgOqVOpiO6h-OYFx=RMP5-f6X1QA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Provags-ID:  V03:K0:/V9yBmKPT+v5ghb796JvUGrrDWspwVvpbRAQidPL5kykhR4mkDC
 V/foDCfD/B0W5tKd7611BOpBl0ZxRYP9HJTKbEBOmdjMBSGL7z6WgGEmyUyiVFFmu2tX3Eb
 U/eG731mC25XmU2Ci6XnRK82pGxDzj7e28nh7PbSyy6KNYrfKjc5jp+TNNK194S9aNSy9+F
 lKPXeTQy7Rv3Jfry6tRAg==
X-UI-Out-Filterresults: notjunk:1;
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Script only includes
From: cmbecker69@gmx.de (Christoph Becker)

Yasuo Ohgaki wrote:

> We have been tried to educate users already and introduced some
> mitigations e.g. allow_url_include, open_basedir.
> 
> However, enough time is passed to prove that wasn't enough, isn't it?
> 
> PHP (many and these are _only_ few of them in the wild)
> http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_exploit_text=inclusion&filter_port=0&filter_osvdb=&filter_cve=

I've arbitrarily checked the top most entry (u5CMS), and the LFI was
caused by `echo file_get_contents($_GET['...'])` basically.  There was
neither include|require(_once) involved, nor move_uploaded_file().  From
my, admittedly very limited, experience, this is a rather common source
of LFI vulnerabilities in PHP applications.  I'm afraid that educating
developers is the only way to avoid this kind of vulnerability.

-- 
Christoph M. Becker