Re: [RFC][DISCUSSION] Script only includes

From:	Yasuo Ohgaki	Date:	Wed, 11 Feb 2015 00:29:50 +0000
Subject:	Re: [RFC][DISCUSSION] Script only includes
References:	1 2	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Pavel,

On Tue, Feb 10, 2015 at 7:06 PM, Pavel Kouřil <[email protected]> wrote:

> IMHO the real solution to this problem is to educate the programmers
> how to write safer applications, not by ini settings.
>

We have been tried to educate users already and introduced some
mitigations e.g. allow_url_include, open_basedir.

However, enough time is passed to prove that wasn't enough, isn't it?

PHP (many and these are _only_ few of them in the wild)
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_exploit_text=inclusion&filter_port=0&filter_osvdb=&filter_cve=

PERL (0 result)
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=PERL&filter_author=inclusion&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

Rails (0 result)
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=Rails&filter_exploit_text=inclusion&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

Python (0 result)
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=Python&filter_exploit_text=inclusion&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

JSP (1 result - This is famous)
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=JSP&filter_exploit_text=inclusion&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

The picture is clear.

I value education as one of the most important security measure indeed.

However, education is not perfect. If there is effective counter measure,
it
is better to be adopted. We can write web apps by PHP, not only because
it's faster to write, but easier to write secure code.

We removed "script embedding" from regex functions, why not include?
My new proposal is simple and does not require performance penalty.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (23 messages)

• Yasuo OhgakiTue, 10 Feb 2015 00:52:50 +0000
  • Matteo BeccatiTue, 10 Feb 2015 08:22:53 +0000
    • Yasuo OhgakiWed, 11 Feb 2015 03:48:03 +0000
      • Yasuo OhgakiWed, 11 Feb 2015 05:41:19 +0000
      • Stanislav MalyshevWed, 11 Feb 2015 07:24:21 +0000
  • Markus FischerTue, 10 Feb 2015 08:59:19 +0000
    • Yasuo OhgakiWed, 11 Feb 2015 00:09:39 +0000Re: [RFC][DISCUSSION] Script only includes
      • Derick RethansWed, 11 Feb 2015 09:36:09 +0000
  • Pierre JoyeTue, 10 Feb 2015 09:19:18 +0000
    • Yasuo OhgakiWed, 11 Feb 2015 03:59:42 +0000
  • Pavel KouřilTue, 10 Feb 2015 10:06:48 +0000
    • Yasuo OhgakiWed, 11 Feb 2015 00:29:50 +0000
      • Christoph BeckerWed, 11 Feb 2015 01:45:32 +0000
        • Yasuo OhgakiWed, 11 Feb 2015 01:50:13 +0000
          • Christoph BeckerThu, 12 Feb 2015 01:57:35 +0000
  • Stanislav MalyshevWed, 11 Feb 2015 07:32:05 +0000
    • Yasuo OhgakiWed, 11 Feb 2015 17:28:17 +0000
      • Stanislav MalyshevWed, 11 Feb 2015 18:21:24 +0000
        • Patrick SchaafWed, 11 Feb 2015 18:41:47 +0000
        • Yasuo OhgakiThu, 12 Feb 2015 02:25:19 +0000
  • Derick RethansWed, 11 Feb 2015 09:34:32 +0000
    • Lester CaineWed, 11 Feb 2015 10:13:40 +0000
  • Yasuo OhgakiWed, 11 Feb 2015 17:43:46 +0000Re: [RFC][DISCUSSION] Script only includes