Re: Re: [RFC] No PHP tags

From:	Yasuo Ohgaki	Date:	Wed, 12 Feb 2014 06:17:38 +0000
Subject:	Re: Re: [RFC] No PHP tags
References:	1 2 3 4 5 6 7 8	Groups:	php.internals
Request:	Send a blank email to internals+get-72495@lists.php.net to get a copy of this message

Hi Lester,

On Wed, Feb 12, 2014 at 2:56 PM, Lester Caine <lester@lsces.co.uk> wrote:

> Lester Caine wrote:
>
>> can you really protect them anyway?
>>
> Yasuo
> Have you actually looked at the 'Some recent LFI issues' that are listed?
> I don't thing any one of them would have been protected from by this
> change? Providing a php page that can DISPLAY or run any file that it can
> read is not going to be protected from by switching embedding off?


1st one is file upload vulnerability. I'll replace it something else.
2nd one is

http://seclists.org/bugtraq/2012/Apr/53

    $filepath = "$path_to_citrus/$load.php";
                if (file_exists($filepath)) {
                        include('./'.$load.'.php');

I'm not sure what they are loading. script() prevents from reading
/etc/passwd or any other files.

3rd one is
https://localhost/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

It could also be protected by script().

4th one is
http://TARGET/onefilecms/onefilecms.php?f=../../../../etc/passwd

The same as 3rd one.

It works well for LFI. Important thing is include()/require() needs extra
care to make sure it's secure. I would suggest to validate all inputs, but
user may have invalid validation. Single mistake could be serious
disaster. It's better if there is script() for sure. (Defense in depth)

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net


   

Thread (37 messages)

• Yasuo OhgakiMon, 10 Feb 2014 07:35:28 +0000
  • Stas MalyshevMon, 10 Feb 2014 07:56:35 +0000
  • Rasmus LerdorfMon, 10 Feb 2014 08:14:20 +0000
    • Yasuo OhgakiMon, 10 Feb 2014 21:40:12 +0000
  • Andrea FauldsMon, 10 Feb 2014 12:24:46 +0000
  • Sebastian KrebsMon, 10 Feb 2014 14:16:44 +0000
    • Yasuo OhgakiMon, 10 Feb 2014 21:42:15 +0000
      • Madara UchihaMon, 10 Feb 2014 22:39:51 +0000
      • Lester CaineMon, 10 Feb 2014 23:35:07 +0000
  • Kris CraigTue, 11 Feb 2014 00:29:35 +0000
  • Yasuo OhgakiTue, 11 Feb 2014 17:42:13 +0000Re: [RFC] No PHP tags
    • Rasmus LerdorfTue, 11 Feb 2014 18:10:44 +0000Re: Re: [RFC] No PHP tags
      • Yasuo OhgakiTue, 11 Feb 2014 23:13:30 +0000
        • Yasuo OhgakiTue, 11 Feb 2014 23:33:32 +0000
          • Rasmus LerdorfWed, 12 Feb 2014 01:29:01 +0000
            • Yasuo OhgakiWed, 12 Feb 2014 02:16:20 +0000
        • Lester CaineTue, 11 Feb 2014 23:43:10 +0000
          • Yasuo OhgakiWed, 12 Feb 2014 01:02:26 +0000
            • Lester CaineWed, 12 Feb 2014 05:39:44 +0000
              • Lester CaineWed, 12 Feb 2014 05:56:37 +0000
                • Yasuo OhgakiWed, 12 Feb 2014 06:17:38 +0000
                  • Lester CaineWed, 12 Feb 2014 07:15:40 +0000
                    • Yasuo OhgakiWed, 12 Feb 2014 08:04:29 +0000
              • Yasuo OhgakiWed, 12 Feb 2014 06:26:21 +0000
    • Yasuo OhgakiTue, 11 Feb 2014 18:11:03 +0000
    • Lester CaineTue, 11 Feb 2014 19:26:15 +0000Re: Re: [RFC] No PHP tags
    • Rowan CollinsWed, 12 Feb 2014 22:43:04 +0000Re: Re: [RFC] No PHP tags
      • Yasuo OhgakiThu, 13 Feb 2014 01:30:52 +0000
        • Rasmus LerdorfThu, 13 Feb 2014 15:07:41 +0000
          • Yasuo OhgakiThu, 13 Feb 2014 22:51:59 +0000
            • Rasmus LerdorfFri, 14 Feb 2014 00:00:53 +0000
              • Yasuo OhgakiFri, 14 Feb 2014 01:01:35 +0000
        • Rowan CollinsFri, 14 Feb 2014 17:10:08 +0000
          • Yasuo OhgakiFri, 14 Feb 2014 22:28:08 +0000
            • Johannes SchlüterFri, 14 Feb 2014 23:53:44 +0000
              • Yasuo OhgakiSat, 15 Feb 2014 00:03:23 +0000
• Andrey AndreevTue, 11 Feb 2014 13:21:16 +0000Re: [RFC] No PHP tags