Hello,
Chaining filters is becoming an increasingly popular primitive to
exploit PHP applications:
https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it.html
https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle.html
- https://www.ambionics.io/blog/wrapwrap-php-filters-suffix +
https://github.com/ambionics/wrapwrap - https://www.ambionics.io/blog/lightyear-file-dump +
https://github.com/ambionics/lightyear
They provide increasingly powerful primitives ranging from arbitrary
file read to arbitrary code execution, and are tedious to protect
against, as filters can be used in a lot of places.
The easiest way to kill this vector is to simply limit the number of
filters that can be chained, as attacks require a at least a couple of
them, while legitimate use usually use one or two tops, as highlighted
by arnaud-lb's analysis:
https://github.com/php/php-src/pull/16699#issuecomment-2462281938
I sent a pull-request to implement this:
https://github.com/php/php-src/pull/16699
What do y'all think about this?
--
Julien (jvoisin) Voisin
GPG: 04D041E8171901CC
dustri.org
The easiest way to kill this vector is to simply limit the number of
filters that can be chained, as attacks require a at least a couple of
them, while legitimate use usually use one or two tops, as highlighted
by arnaud-lb's analysis:
https://github.com/php/php-src/pull/16699#issuecomment-2462281938I sent a pull-request to implement this:
https://github.com/php/php-src/pull/16699What do y'all think about this?
I am not a fan of hardcoding arbitrary limits, or having an ini setting
for such a limit. I especially think that the suggested limit of 5, or
even 3, is not a good idea.
The example that the issue links to to fix a vulnaribility in is:
include $_GET['page'];
Which is... yeah.
cheers,
Derick
--
https://derickrethans.nl | https://xdebug.org | https://dram.io
Author of Xdebug. Like it? Consider supporting me: https://xdebug.org/support
mastodon: @derickr@phpc.social @xdebug@phpc.social