Re: Resolution for ver_export()/addslashes() encoding based script execution attack?

From:	Stas Malyshev	Date:	Tue, 25 Feb 2014 11:01:12 +0000
Subject:	Re: Resolution for ver_export()/addslashes() encoding based script execution attack?
References:	1 2 3 4 5	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi!

> Engine supports SJIS/other encoding script execution. Therefore,

I'm not sure what you mean by "other encoding script execution". Engine
execution is the same regardless of the data you use, nowhere in the
opcodes there's any encoding that is important.

> addslashes()/var_export() behavior is security vulnerability just like
> encoding based SQL/JavaScript injections.

I don't see how it is "therefore". If there's SQL injection or JS
injection that is not the result of wrong code, then let's outline them
and consider them. Specifically for var_export, which behavior is
broken? I see no mention of the specific examples in the RFC.

> Databases/browsers fixed these issues as vulnerability.

Which "these issues"? Databases and browsers don't have var_export()
function.

> Although, knowledgeable attacker would figure out how. I don't see the
> point disclosing details of vulnerability in public before fixing it. It

We can take it to security list if you think it's too sensitive, or in
private bug. But if we have RFC that say var_export() "lacks proper
multibyte handling" but doesn't say what is expected from it, it's hard
to accept it.

> Writing their own var_export() is not simple task.
> In contrast, fixing them in PHP is easy by using mbstring.

Why would one need to write their own var_export? What are "them" that
are easy to fix by using mbstring?

> addslashes()/var_export() do not recognize char encoding, just like old
> database escape functions.

OK, this is a bit more. Why var_export needs to "recognize char
encoding" and what it means for var_export to "recognize char encoding"?

> Regarding details of this issue, I just think it's not right thing to do
> disclosing detail of fatal vulnerability before fixing. However, I don't

I think many people (myself included) do not see "fatal vulnerability"
being there. If you have some details and feel it's not good to disclose
it you could send it to [email protected] or privately to me or open
private bug. Since I don't know what these details are I rely here on
your judgement.

> I think I've posted enough info to [email protected]
> <mailto:[email protected]>. Is it okay to post it
> here?

Yes, but I don't remember the details about var_export, etc. there.
Maybe I missed the email, could you forward it to me privately then?

-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227


   

Thread (20 messages)

• Yasuo OhgakiMon, 24 Feb 2014 09:41:03 +0000
  • Nikita PopovMon, 24 Feb 2014 11:07:05 +0000
    • Yasuo OhgakiTue, 25 Feb 2014 05:07:02 +0000
      • Stas MalyshevTue, 25 Feb 2014 06:47:23 +0000
        • Yasuo OhgakiTue, 25 Feb 2014 10:36:11 +0000
          • Stas MalyshevTue, 25 Feb 2014 11:01:12 +0000
            • Johannes SchlüterTue, 25 Feb 2014 11:39:40 +0000
              • Yasuo OhgakiWed, 26 Feb 2014 06:15:01 +0000
                • Lester CaineWed, 26 Feb 2014 09:03:03 +0000
                  • Yasuo OhgakiWed, 26 Feb 2014 09:21:08 +0000
                    • Lester CaineWed, 26 Feb 2014 12:32:06 +0000
                      • Yasuo OhgakiWed, 26 Feb 2014 22:28:23 +0000
                        • Pádraic BradyThu, 27 Feb 2014 22:22:47 +0000
                          • Yasuo OhgakiThu, 27 Feb 2014 23:08:19 +0000
                            • Pierre JoyeFri, 28 Feb 2014 00:28:39 +0000
              • Stas MalyshevWed, 26 Feb 2014 11:52:40 +0000
                • Yasuo OhgakiWed, 26 Feb 2014 21:23:32 +0000
                  • Stas MalyshevFri, 28 Feb 2014 18:57:29 +0000
                    • Yasuo OhgakiSat, 01 Mar 2014 00:19:41 +0000
            • Yasuo OhgakiWed, 26 Feb 2014 05:25:45 +0000