2012/4/8 Ángel González <[email protected]>:
> On 07/04/12 22:48, Yasuo Ohgaki wrote:
>> Hi,
>>
>> The only valid reason for removing <?php from PHP script would be
>> security.
>>
>> Since the null byte detection for fopen, remote/local script inclusion
>> became much harder than before. However, it's still possible and very
>> easy compare to other languages. Script execution is critical security
>> problem and it's worth to make it better.
>>
>> If there is a switch that turns off PHP's template engine nature, PHP
>> could be more secure than now.
>>
>> php.ini
>> template_mode = on ; INI_ALL On by default
>>
>> php -t foo.php # template mode by default
>> php -T foo.php # template mode off
>>
>> People has option to make their code a little secure than now
>> or stick with current behavior.
>>
>> Regards,
> How does it help security?
> If any, requiring '<?php' before executable code makes easier to filter
> out malicious files on apps with uploads in case there's a local
> inclusion vulnerability somewhere.
>
Attackers may inject PHP script almost anything/anywhere since
PHP code may be embed anywhere in a file.
For example, malicious PHP script may be in GIF something like
gif89a ...any data.. <?php exec('rm -rf /') ?>
and all attacker have to do is include/require the data somehow.
Attacker cannot do that this for other languages, since they are
not a embedded language. I know case that attackers may inject
malicious perl/ruby script in data files, but PHP is too easy
compare to these languages.
Regards,
--
Yasuo Ohgaki