Hi,
You are missing my points.
2012/4/8 Ángel González <[email protected]>:
> 2012/4/8, Yasuo Ohgaki:
>> 2012/4/8 Ángel González <[email protected]>:
>>> How does it help security?
>>> If any, requiring '<?php' before executable code makes easier to filter
>>> out malicious files on apps with uploads in case there's a local
>>> inclusion vulnerability somewhere.
>>>
>> Attackers may inject PHP script almost anything/anywhere since
>> PHP code may be embed anywhere in a file.
>>
>> For example, malicious PHP script may be in GIF something like
>>
>> gif89a ...any data.. <?php exec('rm -rf /') ?>
>>
>> and all attacker have to do is include/require the data somehow.
>> Attacker cannot do that this for other languages, since they are
>> not a embedded language. I know case that attackers may inject
>> malicious perl/ruby script in data files, but PHP is too easy
>> compare to these languages.
>>
>> Regards,
>>
>> --
>> Yasuo Ohgaki
> Yes, but if I properly check that there's no '<?php' in the uploaded files
> (as you should verify everything you allow users to upload), it can't be
> exploited.
> OTOH if the vulnerable include is not an include but an include_code,
> they could
> use a file which was
Checking "<?php" is not enough obviously.
One should check "<?" and "<%" also and there are many data
files that may contain "<?" and "<%".
Embedding PHP script in image file is popular attack method.
There is even program called image fight that inject "<?php die()?>"
into uploaded images to prevent hosting malware images.
Attacker may inject PHP script into anywhere/any file. Disabling
embed mode is simple and effective countermeasure.
>> exec("rm -rf"); // Example of what not to do
> And was happily uploaded as "plain text".
There are 2 types of attacks, one is directly uploading PHP script.
Another is include PHP script. Uploading as plain text does not help.
Regards,
--
Yasuo Ohgaki