2012/4/9 Yasuo Ohgaki <yohg...@ohgaki.net>:
> Hi,
>
> You are missing my points.
>
> 2012/4/8 Ángel González <keis...@gmail.com>:
>> 2012/4/8, Yasuo Ohgaki:
>>> 2012/4/8 Ángel González <keis...@gmail.com>:
>>>> How does it help security?
>>>> If any, requiring '<?php' before executable code makes easier to filter
>>>> out malicious files on apps with uploads in case there's a local
>>>> inclusion vulnerability somewhere.
>>>>
>>> Attackers may inject PHP script almost anything/anywhere since
>>> PHP code may be embed anywhere in a file.
>>>
>>> For example, malicious PHP script may be in GIF something like
>>>
>>> gif89a ...any data.. <?php exec('rm -rf /') ?>
>>>
>>> and all attacker have to do is include/require the data somehow.
>>> Attacker cannot do that this for other languages, since they are
>>> not a embedded language. I know case that attackers may inject
>>> malicious perl/ruby script in data files, but PHP is too easy
>>> compare to these languages.
>>>
>>> Regards,
>>>
>>> --
>>> Yasuo Ohgaki
>> Yes, but if I properly check that there's no '<?php' in the uploaded files
>> (as you should verify everything you allow users to upload), it can't be
>> exploited.
>> OTOH if the vulnerable include is not an include but an include_code,
>> they could
>> use a file which was
>
> Checking "<?php" is not enough obviously.
> One should check "<?" and "<%" also and there are many data
> files that may contain "<?" and "<%".
>
> Embedding PHP script in image file is popular attack method.
> There is even program called image fight that inject "<?php die()?>"
> into uploaded images to prevent hosting malware images.
I should not forget to mention, one should check
<script language="php">
also.
--
Yasuo Ohgaki
yohg...@ohgaki.net
>
> Attacker may inject PHP script into anywhere/any file. Disabling
> embed mode is simple and effective countermeasure.
>
>>> exec("rm -rf"); // Example of what not to do
>> And was happily uploaded as "plain text".
>
> There are 2 types of attacks, one is directly uploading PHP script.
> Another is include PHP script. Uploading as plain text does not help.
>
> Regards,
>
> --
> Yasuo Ohgaki
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
