Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:82508 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7689 invoked from network); 12 Feb 2015 01:57:49 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Feb 2015 01:57:49 -0000 Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.18 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.15.18 mout.gmx.net Received: from [212.227.15.18] ([212.227.15.18:60423] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E0/E6-02515-9980CD45 for ; Wed, 11 Feb 2015 20:57:47 -0500 Received: from [192.168.0.100] ([91.67.244.80]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MK0ur-1YKuDS0LRd-001O0A; Thu, 12 Feb 2015 02:57:27 +0100 Message-ID: <54DC088F.8030906@gmx.de> Date: Thu, 12 Feb 2015 02:57:35 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Yasuo Ohgaki CC: =?UTF-8?B?UGF2ZWwgS291xZlpbA==?= , "internals@lists.php.net" References: <54DAB43C.7040107@gmx.de> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:1fzJFHTg0aSqOpcYiWEzUklyeSH/Vs4dpU+B4O95x4nTCn/ItPo rCqr679id8ts75RPlsJ3Sd0RSsg2H2YDUt7hSPkjLju8bPnKuqgLiGDbjVVTJmDGHNBHjSi nLP696dYTSL17taMJ9ibNdVld5qPMGkU5yBrf3f6ir23ir2KYaln0FruznibePKB+nCD+dw eF+/9xNrYtIfxEruRX3cg== X-UI-Out-Filterresults: notjunk:1; Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Script only includes From: cmbecker69@gmx.de (Christoph Becker) Hi Yasuo, Yasuo Ohgaki wrote: > Hi Christoph, > > On Wed, Feb 11, 2015 at 10:45 AM, Christoph Becker > wrote: > >>> We have been tried to educate users already and introduced some >>> mitigations e.g. allow_url_include, open_basedir. >>> >>> However, enough time is passed to prove that wasn't enough, isn't it? >>> >>> PHP (many and these are _only_ few of them in the wild) >>> >> http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_exploit_text=inclusion&filter_port=0&filter_osvdb=&filter_cve= >> >> I've arbitrarily checked the top most entry (u5CMS), and the LFI was >> caused by `echo file_get_contents($_GET['...'])` basically. There was >> neither include|require(_once) involved, nor move_uploaded_file(). From >> my, admittedly very limited, experience, this is a rather common source >> of LFI vulnerabilities in PHP applications. I'm afraid that educating >> developers is the only way to avoid this kind of vulnerability. > > > It's not my point. These are only surface of them as you can see it contains > only open source project's vulnerabilities. > > Script inclusion is common by evidence, unlike others. If you mean "unlike other languages", I tend to agree. However, I'm still afraid that script inclusion vulnerabilities are *way* less common than vulnerabilities due to *reading* and *displaying* (*not* *executing*) arbitrary files in PHP applications. > This is what I'm trying to change. > Are PHP programmers are worse than others? > I don't think they are. Certainly, there are many fine PHP programmers, but also there are many PHP programmers who are not sufficently educated with regard to security (I might still be part of the latter group). > Regards, Regards, -- Christoph M. Becker