Hi, I forgot to answer a question.
2012/4/10 Yasuo Ohgaki <yohg...@ohgaki.net>: > Hi, > > 2012/4/10 Stas Malyshev <smalys...@sugarcrm.com>: >> Hi! >> >>> 1. Find FLI vulnerable application. >>> 2. Find a way to inject $_SESSION >>> 3. Use session file to execute arbitrary PHP code. >> >> So, you assume you have broken application with no security AND it >> allows you to inject arbitrary data in the session (which probably means >> broken authorization too) and then somehow it's PHP vulnerability? I'm No and Yes. Many applications start session without authentication. Attacker knew his session ID and guess path to session data. If program starts session only when authentication is done, then authentication is required. I think authentication is not required in general, since developers are educated to change session ID at authentication. Most of applications start session before authentication. BTW, there are more cases that LFI without upload files. For example, modern applications have caching data and cache may be used LFI. SQL injection may be used with LFI to take over server. >> sorry but this does not make too much sense to me. If you have an >> application that allows to execute arbitrary code on external request, >> this app has no security. How it is a vulnerability in PHP? Previous reply had broken English, but I think you got the point. LFI risk is unique to PHP. The cause of risk is mandatory embedded script. Just adding TAG less execution does not make sense much, but removing LFI risk does. IMHO. Regards, -- Yasuo Ohgaki -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
