Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:82407 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 94658 invoked from network); 11 Feb 2015 01:50:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Feb 2015 01:50:57 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.46 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.46 mail-qg0-f46.google.com Received: from [209.85.192.46] ([209.85.192.46:38203] helo=mail-qg0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 27/D0-24155-F75BAD45 for ; Tue, 10 Feb 2015 20:50:56 -0500 Received: by mail-qg0-f46.google.com with SMTP id z107so566445qgd.5 for ; Tue, 10 Feb 2015 17:50:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=MFwdH3C5GI5T7FZveK01knG/nT8rd0LeY9AhwH04sb4=; b=EyJM6ek5Ay4nRQKGZHyvhemhbkyw2FxJgB2ZbKWErxeEy+hVB21Z8lcyqle7d3lY6M uouIMXyX9mZ0A+8FB5JEeYbLgL9+y3GlnInYE/jH+XM8ducFyKH2aDrUXZSC/gEkHGqk xDHGHbk5M+rk2vvs2Ee9vphUE/gx5M4lvtWMoDFW0krV8vZxqokN3IELHVfm+Szz3li/ nwZqt3kq6DzYz+Bet71vFdvK9njGWwahx+AsL5mGIlJw7/H3yVRg4WHOfoxHsvAaIlpd fdrq1HcfbJs+QuyybAZh5GN1roPn31PMixDlCZ99XI5wCMN+QdHfzLCFFOB2KjagKms6 Lf3Q== X-Received: by 10.229.190.6 with SMTP id dg6mr60475216qcb.16.1423619453552; Tue, 10 Feb 2015 17:50:53 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.250.195 with HTTP; Tue, 10 Feb 2015 17:50:13 -0800 (PST) In-Reply-To: <54DAB43C.7040107@gmx.de> References: <54DAB43C.7040107@gmx.de> Date: Wed, 11 Feb 2015 10:50:13 +0900 X-Google-Sender-Auth: T5sHHP2Ej-wIRKDqyaL6K5TwDjI Message-ID: To: Christoph Becker Cc: =?UTF-8?Q?Pavel_Kou=C5=99il?= , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11336798d30e86050ec63bf0 Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Script only includes From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11336798d30e86050ec63bf0 Content-Type: text/plain; charset=UTF-8 Hi Christoph, On Wed, Feb 11, 2015 at 10:45 AM, Christoph Becker wrote: > > We have been tried to educate users already and introduced some > > mitigations e.g. allow_url_include, open_basedir. > > > > However, enough time is passed to prove that wasn't enough, isn't it? > > > > PHP (many and these are _only_ few of them in the wild) > > > http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_exploit_text=inclusion&filter_port=0&filter_osvdb=&filter_cve= > > I've arbitrarily checked the top most entry (u5CMS), and the LFI was > caused by `echo file_get_contents($_GET['...'])` basically. There was > neither include|require(_once) involved, nor move_uploaded_file(). From > my, admittedly very limited, experience, this is a rather common source > of LFI vulnerabilities in PHP applications. I'm afraid that educating > developers is the only way to avoid this kind of vulnerability. It's not my point. These are only surface of them as you can see it contains only open source project's vulnerabilities. Script inclusion is common by evidence, unlike others. This is what I'm trying to change. Are PHP programmers are worse than others? I don't think they are. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11336798d30e86050ec63bf0--