Hi,
2012/4/11 Stas Malyshev <smalys...@sugarcrm.com>:
> Hi!
>
>> I'm sure you have seen the same code in JSON hijack countermeasure.
>>
>> while(1){}
>
> I think you misunderstood what I means. What I meant is you can inject
> code without <? the same way you can inject code with <?, so where's the
> improvement?
When template_mode=off, the only PHP tags that is allowed it
open tag at the beginning. Other PHP tags result in syntax errors.
If I have file that has kill() in the middle of file and LFI is used,
it will result in syntax error.
Improvement is "We don't have to inject kill()" and "LFI with data
files result in syntax errors instead of disclosure"
(e.g. include('/etc/passwd'), include('.htaccess'))
Did I answer for you?
> kill() function would be just an example of code being injected by
> hostile third party (intent on killing your server, presumably). If I
> can inject it with <?, what prevents me from injecting without <? ?
If attacker can inject code at the beginning or make valid syntax
at the beginning, they can succeed injection. This is true not
only for PHP, but also Ruby/Perl/Python.
For example, a well known Ruby code injection for GIF image is
----
gif89a = 123;
(attack code here)
----
This is valid Ruby code and if attacker could find a way to load
the image, attack script can be executed.
As I stated in the RFC, template_mode=off is not a perfect solution.
Although it is not a perfect solution, but this is as effective as null
byte protection or allow_url_include.
I hope I answered your question.
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
