Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83711
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79826 invoked from network); 24 Feb 2015 22:55:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Feb 2015 22:55:14 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.44 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.44 mail-qg0-f44.google.com  
Received: from [209.85.192.44] ([209.85.192.44:36709] helo=mail-qg0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DA/3A-24698-1510DE45 for <internals@lists.php.net>; Tue, 24 Feb 2015 17:55:14 -0500
Received: by mail-qg0-f44.google.com with SMTP id j5so151475qga.3
        for <internals@lists.php.net>; Tue, 24 Feb 2015 14:54:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=cE7odYyu+2+/caP3fqOJsAKwS3CYnSa+VpXe89sYiwk=;
        b=xMF1fc0+M16+z6KXzlT/dA8lRW8MT9jGqbvtc/ONUf+R/j4zJJStzCK8mhZVVhQ3P6
         Vuz5GJbZVnpGX2Aqr8pSNNURnmwZbtsn5AwisD30I69YqdtM8G8tGhDUmSixK61JFzJc
         7+P1kmH/YJjcWtdKgxK64ywZI5q5uBb4xOmoEsv2p6HSDL8Em0I7yiU9wfAKuVDEs0cL
         veINSvZ+JfEVfRHd0lkvYqel42YM1c1QUX67tYJvigxBT/maHMfrSw2UtiVjgM6qn+zq
         aooGDH5V58vDpeay1GrIgfyPorXbSQug+9sJK4lbSKcTBaL010FoZisLiIDGGtrhl2le
         tKYw==
X-Received: by 10.140.39.179 with SMTP id v48mr363737qgv.77.1424818481338;
 Tue, 24 Feb 2015 14:54:41 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Tue, 24 Feb 2015 14:54:01 -0800 (PST)
In-Reply-To: <54ECFAA8.4020305@gmail.com>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>
 <CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com>
 <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
 <CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com>
 <54ECD4E3.9040705@gmail.com> <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
 <CAGa2bXZV1FOaW5mJqx2yw7WQz0prp1zfEgdEw99StbWPgDFUwg@mail.gmail.com> <54ECFAA8.4020305@gmail.com>
Date: Wed, 25 Feb 2015 07:54:01 +0900
X-Google-Sender-Auth: qzOxE9XI7u1Osih1vZlp3RsBeFY
Message-ID: <CAGa2bXZ373PGrJtpmgLje3obzGcXQs5sND=8TzyuKac+hZ--Fg@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: =?UTF-8?Q?P=C3=A1draic_Brady?= <padraic.brady@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c131f6732143050fdd67bc
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c131f6732143050fdd67bc
Content-Type: text/plain; charset=UTF-8

Hi Stas,

On Wed, Feb 25, 2015 at 7:26 AM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> > I would like to add a note for this.
> > Anti Virus products are detecting this type of files as "PHP malware".
>
> It looks like you are trying to convince me that PHP malware exists. I
> would like to save you time by notifying you I am aware of this. My
> disagreement is not denying PHP malware exists, it is denying that your
> proposed change does anything to improve situations with code vulnerable
> to externally controlled includes. There may be a way to mitigate this
> problem, but I don't see how requiring that .php would be at the end of
> the filename would be it.
>

I'm presenting the fact that "PHP script embedded malware" exists
in the wild and malware vendors detect them as "PHP malware".


>
> > No other languages have such malware.
>
> Are you seriously claiming there is no malware written in languages
> besides PHP? It can not be, I must be misunderstanding what you mean here.
>

Malwares are written by many languages. It's the fact.

As far as I know, PHP is the only language that has this type of malware.
(Script embedded images) PHP is the only one malware vendors claims
it as "PHP malware". This is the fact.

> The reason why these has to detected as "PHP malware" is that there are
> > PHP programs vulnerable to script inclusion attacks.
>
> No, it's not the reason, at least not the main one. The reason is that:
> a. PHP is an easy language to write code in and is widely deployed
> b. Writing a remote control kit in PHP is easier than in C, etc. and
> there's more guarantee it would work on any random PHP host
> c. There are lots of vulnerable web hosts that have remote execution
> vulnerabilities and can be exploited
>

The reason is other languages are almost safe by default against script
inclusion attacks.
This RFC makes PHP safe by default just like other languages +
move_uploaded_file()
protection.


>
> > Leaving this as it is now would make people think "PHP is insecure than
> > other languages", "Wow, we have many PHP malware. We may be better
> > not to use PHP anymore".
>
> People that think that are illogical - the fact that somebody chose to
> write a remote control toolkit in PHP due to PHP'd high footprint on the
> web has absolutely nothing to do with PHP being less secure. It's like
> saying Ford cars are insecure because somebody robbed a bank and then
> drove away in a Ford car. We should pay absolutely zero attention to the
> opinion of people that are so confused, and instead educate them about
> the real situation.
>
> Of course, if people run no PHP server at all, PHP-driven remote control
> kits would not be useful. But if the server is vulnerable, there are
> many other backdoor kits.
>

People do not have to be exparts of developing softwares. Managers will
choose illogical choice.

> If "PHP malware" is found in a server, developers are force to check
> > their code. Or they have to ask costly code check to people like me,
> > even when PHP programs is safe. If this RFC is accepted, developers
> > can prove their PHP programs are safe without code check.
>
> I do not see how you change leads to anything like that.
>

1. Anti-virus detects "PHP malware"
2. Managers surprises possible attack (Server takeover)
3. Developers are forced to check their code, since current PHP has no
effective script inclusion attack prevention

With this RFC, developers can explain this type of attacks cannot be done
by PHP's feature. i.e. Exploit servers via script embedded images, etc
cannot
be done.

> This RFC benefits may not be obvious for people on this list, but this
> > RFC eliminates certain type of "PHP malware". PHP's script inclusion
>
> I can't think of any type of PHP malware that would be eliminated. At
> most, the malware injection protocols have to be slightly modified to
> work around initial hurdle of not being able to pass files with
> extension .php through move_upload_file(). With RCE vulnerability its
> trivial, with RFI one based on uploads it is a little harder, but only
> insignificantly - if I am not mistaken, in the last email I provided a
> workaround and it took me less than 5 minutes to come up with it,
> without being professional exploit writer.
>

Embedded PHP script uploads are prohibited by this RFC by default.

> is a toy for security researcher and attackers for a long time.
> > Let's take away the toy from them.
>
> It may be worth to take away the toy, but this change just moves the toy
> couple of centimeters aside. Given the BC break potential, I don't see
> much point.


PHP became as secure as other languages with respect to script inclusions.
by default. The issue here is "PHP is not being as secure as other language
with respect to script inclusion attacks". Statistics shows it. This is our
issue.

Users may shoot their own foot, this is not our issue.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c131f6732143050fdd67bc--