Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83748
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64321 invoked from network); 25 Feb 2015 09:09:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Feb 2015 09:09:10 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.53 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.53 mail-qg0-f53.google.com  
Received: from [209.85.192.53] ([209.85.192.53:52432] helo=mail-qg0-f53.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A7/50-62407-4319DE45 for <internals@lists.php.net>; Wed, 25 Feb 2015 04:09:08 -0500
Received: by mail-qg0-f53.google.com with SMTP id f51so1856700qge.12
        for <internals@lists.php.net>; Wed, 25 Feb 2015 01:09:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=CBUl9TiqGyXKS3SQjAj3Z8wX69BOGeIEGfmyZXAYDTo=;
        b=isakQFoln0IOCT1CH4XUDGrcbD5tzCe4iFMX16+1NFRktcuuuqVy/86u/IxTPeiLSS
         n3jiug8wdalBQCYGQ8TdhtsDEXSGbYklhJ7wUWB9vKguKNq+RVos+H0a6g2IbNwtSw2L
         bIqu5m5jiq+QjSCxJUHMnS0BIUPwTBaarrkvY/EMz64GTe1s5GRSqEqASyEj5YzRHmJg
         oFcJpv9kZbU2WOkTrwuiPzzCB348bizr5lU2k/yP7GP1MMrfxLPywmE6UhyBBg9l5qVV
         CtRjIyPFMn75t4fq5P3choYLV6x/gPmLWQlV91XVFmYKRUBdDOW35FcnhKd84nDmKhSM
         Nixw==
X-Received: by 10.141.28.145 with SMTP id f139mr5168863qhe.36.1424855345835;
 Wed, 25 Feb 2015 01:09:05 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Wed, 25 Feb 2015 01:08:25 -0800 (PST)
In-Reply-To: <0369AE4C-7676-408C-8A6F-16C975588ED5@googlemail.com>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com>
 <CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com>
 <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com>
 <CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com>
 <54ECD4E3.9040705@gmail.com> <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com>
 <CAGa2bXZV1FOaW5mJqx2yw7WQz0prp1zfEgdEw99StbWPgDFUwg@mail.gmail.com>
 <54ECFAA8.4020305@gmail.com> <CAGa2bXZ373PGrJtpmgLje3obzGcXQs5sND=8TzyuKac+hZ--Fg@mail.gmail.com>
 <54ED085C.8010901@gmail.com> <CAGa2bXYDGXu3coifbAdLUqE=1qPEJb4RnC_-vWctcrFirc-S6Q@mail.gmail.com>
 <54ED1CE2.9060903@gmail.com> <CAGa2bXaKG3p02Y0X22NP7W=qdO7N4pq8ikqNoF7xm0vUBzMmbg@mail.gmail.com>
 <54ED3F2F.7050203@gmail.com> <CAGa2bXYsG4fcVL3o_sbpXehL7=3SJ5jdMuPnNe8Sn4f_a1H_XA@mail.gmail.com>
 <54ED5648.1020907@gmail.com> <0369AE4C-7676-408C-8A6F-16C975588ED5@googlemail.com>
Date: Wed, 25 Feb 2015 18:08:25 +0900
X-Google-Sender-Auth: JFHcnaX92IY1cBaRLKKOg7fBfBA
Message-ID: <CAGa2bXawoLD4WkJ4s=x9ZijiUww3nfcF6Lv4pxARcyqdbyAiyQ@mail.gmail.com>
To: "Kevin Ingwersen (Ingwie Phoenix)" <ingwie2000@googlemail.com>
Cc: Stanislav Malyshev <smalyshev@gmail.com>, =?UTF-8?Q?P=C3=A1draic_Brady?= <padraic.brady@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11423caebeb484050fe5fc5d
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11423caebeb484050fe5fc5d
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Kevin,

On Wed, Feb 25, 2015 at 5:18 PM, Kevin Ingwersen (Ingwie Phoenix) <
ingwie2000@googlemail.com> wrote:

> Here are my cents to this RFC, as it just keeps popping in in my inbox an=
d
> its beginning to be one that I wish I could ignore.
>
> First, =E2=80=A6 file extensions? A default Apache configuration and some=
 Nginx
> configurations actually accept more than one file extension. This RFC doe=
s
> not include any way to specify a variety of extensions that should be
> blocked, ignored or treated else.
>

It's described in the implementation details section of the RFC.
This RFC do not address Web server configuration issues. Scripts
opened by Web servers are just executed as configured.

Your PHP code is only so secure as you make it. If you are in need for such
> an RFC just to block a few =E2=80=9Erare cases=E2=80=9C, then I would rat=
her suggest you to
> either check your source or hand it to a professional to get it
> counter-checked.
>
> Besides of that, it is never a good idea to let a user upload /everything=
/
> that they want to. A proper MIME-type check can be helpful in these
> scenarios.
>

MIME-type check cannot help at all as it does not guarantee no embedded PHP
scripts in it.
Even image resize nor removing exif info cannot help.

Without this RFC, single script inclusion vulnerability is enough to take
over victim server for most
systems.

Again, I would not vote for the RFC and I do not think positive about it,
> since I see it very unnecessary.
>

Then, it means you misunderstood the issue here.

Thus, if an attacker really wants to get into your business, they have more
> than one way to do so - for instance, exploiting the web server itself.
>

Exploiting PHP programs is much easier for attackers. That's the reason why
attackers check
vulnerable PHP programs. Check your web server access/error logs, you'll
see what I mean.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11423caebeb484050fe5fc5d--