Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 27 Sep 2011 00:38:50 +0200
From: Johannes Schlüter <johannes@...lueters.de>
To: Vincent Danen <vdanen@...hat.com>
Cc: oss-security@...ts.openwall.com, Rasmus Lerdorf <rasmus@....net>, Zeev
 Suraski <zeev@...d.com>, security@....net, Stas Malyshev
 <smalyshev@...arcrm.com>
Subject: Re: Re: CVE request: is_a() function may allow
 arbitrary code execution in PHP 5.3.7/5.3.8

On Mon, 2011-09-26 at 09:05 -0600, Vincent Danen wrote:
> * [2011-09-25 19:22:19 +0200] Pierre Joye wrote:
> 
> >On Sun, Sep 25, 2011 at 6:38 PM, Rasmus Lerdorf <rasmus@....net> wrote:
> >> So
> >> are we talking about the tiny number of people who have explicitly
> >> enabled allow_url_include and are running the code with this bad autoloader?
> >
> >Yes, and that's why it is a very very minor problem. However it was
> >not happening before the code change. The few cases where the class
> >names&co have been sanitize before and the developer did not think
> >about cases like the one describe in the blog post. I think it is even
> >more rare combination, but it was not happening before our change.
> 
> Thanks for all the discussion around this.
> 
> Pierre has it right... prior to the change, whether it was intended or
> not, documented or not, PHP did things a certain way and users could
> (for better or worse) rely on a certain behaviour to do "the right
> thing" (right in the context of their application, even if it is wrong
> in the context of writing good PHP code).  5.3.7 changed that, which
> left applications that used this "feature" in a vulnerable state.

The old code didn't make code secure. There was still a high chance that
an attacker might exploit such a broken __autoload() function. If there
is an security issue it is the existence of allow_url_include.

> It's unfortunate for everyone that PHP gets so many CVEs assigned to it
> for trivial little things.  I look at every CVE assigned for safemode
> or open_basedir bypass flaws... technically speaking, I would never
> consider those to be flaws because those functions are not meant to be
> sandboxing features or high security features, as outlined on PHP's
> page, however they do get CVEs assigned.
> 
> Even though PHP does not consider those features to be security
> protection features, CVEs are still assigned.  You would expect that
> most people would not rely on those features as security features, which
> means those "bypass" flaws should never really affect people in a
> security context, but the sad reality is that they do.  CVE does not
> distinguish between good programming habits or bad ones.  Flaws like
> this, that are only exposed due to bad programming in applications,
> still end up with CVEs assigned at the language level.

Well, I accept most of the safe_mode things. safe_mode is a way to also
limit "bad people" with local file access. Which is a different level.
(While nowadays virtualization etc. can be used to solve that need)

johannes

> I don't think those CVEs reflect poorly on PHP -- I think most people
> who know PHP, realize that people do dumb stuff and that a language like
> PHP makes it easier to do dumb stuff.
> 
> In this case, I think this particular issue is more worthy of a CVE than
> the open_basedir/safemode-related CVEs (and there are _lots_ of those).
> 
> ref: http://www.php.net/security-note.php
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.