Hi Yasuo, Yasuo Ohgaki wrote:
> Hi Christoph, > > On Wed, Feb 11, 2015 at 10:45 AM, Christoph Becker <cmbecke...@gmx.de> > wrote: > >>> We have been tried to educate users already and introduced some >>> mitigations e.g. allow_url_include, open_basedir. >>> >>> However, enough time is passed to prove that wasn't enough, isn't it? >>> >>> PHP (many and these are _only_ few of them in the wild) >>> >> http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_exploit_text=inclusion&filter_port=0&filter_osvdb=&filter_cve= >> >> I've arbitrarily checked the top most entry (u5CMS), and the LFI was >> caused by `echo file_get_contents($_GET['...'])` basically. There was >> neither include|require(_once) involved, nor move_uploaded_file(). From >> my, admittedly very limited, experience, this is a rather common source >> of LFI vulnerabilities in PHP applications. I'm afraid that educating >> developers is the only way to avoid this kind of vulnerability. > > > It's not my point. These are only surface of them as you can see it contains > only open source project's vulnerabilities. > > Script inclusion is common by evidence, unlike others. If you mean "unlike other languages", I tend to agree. However, I'm still afraid that script inclusion vulnerabilities are *way* less common than vulnerabilities due to *reading* and *displaying* (*not* *executing*) arbitrary files in PHP applications. > This is what I'm trying to change. > Are PHP programmers are worse than others? > I don't think they are. Certainly, there are many fine PHP programmers, but also there are many PHP programmers who are not sufficently educated with regard to security (I might still be part of the latter group). > Regards, Regards, -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
