Re: PHP class files without <?php at the top

From:	Yasuo Ohgaki	Date:	Sun, 08 Apr 2012 21:03:25 +0000
Subject:	Re: PHP class files without <?php at the top
References:	1 2 3 4 5 6	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

2012/4/9 Yasuo Ohgaki <[email protected]>:
> Hi,
>
> You are missing my points.
>
> 2012/4/8 Ángel González <[email protected]>:
>> 2012/4/8, Yasuo Ohgaki:
>>> 2012/4/8 Ángel González <[email protected]>:
>>>> How does it help security?
>>>> If any, requiring '<?php' before executable code makes easier to
>>>> filter
>>>> out malicious files on apps with uploads in case there's a local
>>>> inclusion vulnerability somewhere.
>>>>
>>> Attackers may inject PHP script almost anything/anywhere since
>>> PHP code may be embed anywhere in a file.
>>>
>>> For example, malicious PHP script may be in GIF something like
>>>
>>> gif89a ...any data.. <?php exec('rm -rf /') ?>
>>>
>>> and all attacker have to do is include/require the data somehow.
>>> Attacker cannot do that this for other languages, since they are
>>> not a embedded language. I know case that attackers may inject
>>> malicious perl/ruby script in data files, but PHP is too easy
>>> compare to these languages.
>>>
>>> Regards,
>>>
>>> --
>>> Yasuo Ohgaki
>> Yes, but if I properly check that there's no '<?php' in the uploaded
>> files
>> (as you should verify everything you allow users to upload), it can't be
>> exploited.
>> OTOH if the vulnerable include is not an include but an include_code,
>> they could
>> use a file which was
>
> Checking "<?php" is not enough obviously.
> One should check "<?" and "<%" also and there are many data
> files that may contain "<?" and "<%".
>
> Embedding PHP script in image file is popular attack method.
> There is even program called image fight that inject "<?php die()?>"
> into uploaded images to prevent hosting malware images.

I should not forget to mention, one should check

<script language="php">

also.

--
Yasuo Ohgaki
[email protected]


>
> Attacker may inject PHP script into anywhere/any file. Disabling
> embed mode is simple and effective countermeasure.
>
>>> exec("rm -rf"); // Example of what not to do
>> And was happily uploaded as "plain text".
>
> There are 2 types of attacks, one is directly uploading PHP script.
> Another is include PHP script. Uploading as plain text does not help.
>
> Regards,
>
> --
> Yasuo Ohgaki


   

Thread (70 messages)

• Tom BoutellSat, 07 Apr 2012 13:26:01 +0000
  • Charlie SomervilleSat, 07 Apr 2012 13:30:14 +0000
  • Alain WilliamsSat, 07 Apr 2012 13:32:00 +0000
  • CrocodileSat, 07 Apr 2012 13:35:39 +0000
    • Tom BoutellSat, 07 Apr 2012 13:39:29 +0000
      • Stuart DallasSat, 07 Apr 2012 13:43:28 +0000
        • Reindl HaraldSat, 07 Apr 2012 13:49:12 +0000
      • Reindl HaraldSat, 07 Apr 2012 13:44:36 +0000
        • Paul DragoonisSat, 07 Apr 2012 13:48:28 +0000
        • Derick RethansSat, 07 Apr 2012 14:07:29 +0000
          • Reindl HaraldSat, 07 Apr 2012 14:47:49 +0000
            • Derick RethansSat, 07 Apr 2012 15:22:22 +0000Reindl's inappropriate behaviour (Was: Re: [PHP-DEV] PHP class files without <?php at the top)
              • Kiall Mac InnesSat, 07 Apr 2012 15:27:57 +0000
                • Rasmus LerdorfSat, 07 Apr 2012 15:31:48 +0000
                  • Kris CraigSat, 07 Apr 2012 23:07:49 +0000
      • John BaffordSat, 07 Apr 2012 13:50:05 +0000
        • Tom BoutellSat, 07 Apr 2012 14:00:21 +0000
          • Reindl HaraldSat, 07 Apr 2012 14:06:17 +0000
            • Alain WilliamsSat, 07 Apr 2012 14:19:16 +0000
            • Tom BoutellSat, 07 Apr 2012 14:23:34 +0000
              • Reindl HaraldSat, 07 Apr 2012 15:17:54 +0000
                • John CrenshawSat, 07 Apr 2012 15:26:47 +0000RE: [PHP-DEV] MODERATION NEEDED: PHP class files without <?php at the top
            • Ángel GonzálezSat, 07 Apr 2012 14:58:44 +0000
          • John CrenshawSat, 07 Apr 2012 14:53:49 +0000RE: [PHP-DEV] PHP class files without <?php at the top
            • John BaffordSat, 07 Apr 2012 15:22:50 +0000Re: PHP class files without <?php at the top
              • Ángel GonzálezSat, 07 Apr 2012 17:23:39 +0000
                • Rasmus LerdorfSat, 07 Apr 2012 17:29:06 +0000
                  • Ángel GonzálezSat, 07 Apr 2012 20:07:07 +0000
                    • Rasmus LerdorfSat, 07 Apr 2012 20:29:34 +0000
          • John BaffordSat, 07 Apr 2012 14:56:53 +0000
            • Ángel GonzálezSat, 07 Apr 2012 17:28:48 +0000
          • Luke ScottSat, 07 Apr 2012 15:46:27 +0000
            • Tom BoutellSat, 07 Apr 2012 16:04:23 +0000
              • Luke ScottSat, 07 Apr 2012 16:20:34 +0000
          • Luke ScottSat, 07 Apr 2012 15:50:02 +0000
  • Pierre JoyeSat, 07 Apr 2012 16:47:05 +0000
    • Tom BoutellSat, 07 Apr 2012 19:11:39 +0000
  • Kalle Sommer NielsenSat, 07 Apr 2012 17:11:57 +0000
  • Johannes SchlüterSat, 07 Apr 2012 18:12:44 +0000
  • Yasuo OhgakiSat, 07 Apr 2012 20:48:27 +0000
    • Ángel GonzálezSat, 07 Apr 2012 23:01:13 +0000
      • Yasuo OhgakiSun, 08 Apr 2012 05:16:58 +0000
        • Ángel GonzálezSun, 08 Apr 2012 12:00:33 +0000
          • Tom BoutellSun, 08 Apr 2012 12:31:54 +0000
            • Ángel GonzálezMon, 09 Apr 2012 10:27:44 +0000
          • Yasuo OhgakiSun, 08 Apr 2012 20:58:42 +0000
            • Yasuo OhgakiSun, 08 Apr 2012 21:03:25 +0000
        • Arvids GodjuksSun, 08 Apr 2012 21:22:46 +0000
          • Yasuo OhgakiSun, 08 Apr 2012 21:34:05 +0000
            • Tom BoutellSun, 08 Apr 2012 22:11:21 +0000
              • Yasuo OhgakiMon, 09 Apr 2012 07:01:40 +0000
                • Arvids GodjuksMon, 09 Apr 2012 07:20:28 +0000
                  • Yasuo OhgakiMon, 09 Apr 2012 08:35:07 +0000
                    • Deepak BalaniMon, 09 Apr 2012 09:17:20 +0000
                    • John CrenshawMon, 09 Apr 2012 15:34:20 +0000RE: [PHP-DEV] PHP class files without <?php at the top
                      • Tom BoutellMon, 09 Apr 2012 16:09:11 +0000Re: PHP class files without <?php at the top
                        • John CrenshawMon, 09 Apr 2012 16:43:37 +0000RE: [PHP-DEV] PHP class files without <?php at the top
                          • Tom BoutellMon, 09 Apr 2012 17:25:05 +0000Re: PHP class files without <?php at the top
                            • John CrenshawMon, 09 Apr 2012 17:33:33 +0000RE: [PHP-DEV] PHP class files without <?php at the top
                              • Tom BoutellMon, 09 Apr 2012 18:45:08 +0000Re: PHP class files without <?php at the top
                        • Yasuo OhgakiMon, 09 Apr 2012 19:17:27 +0000
                          • Ángel GonzálezMon, 09 Apr 2012 20:11:18 +0000
                            • Yasuo OhgakiMon, 09 Apr 2012 20:28:11 +0000
                  • Tom BoutellMon, 09 Apr 2012 10:48:22 +0000
                    • Pierre JoyeMon, 09 Apr 2012 11:11:20 +0000
                      • Kris CraigMon, 09 Apr 2012 20:45:52 +0000
                        • Tom BoutellMon, 09 Apr 2012 20:52:35 +0000
    • Ferenc KovacsMon, 09 Apr 2012 10:11:03 +0000
      • Tom BoutellMon, 09 Apr 2012 10:46:47 +0000
        • Yasuo OhgakiMon, 09 Apr 2012 19:01:30 +0000