Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements

2005-03-03 Thread Bostjan Skufca @ domenca.si 
Well, of course this was never ment to protect you from inside attacks. But if 
you also disable eval() then I believe it's pretty much harder to create a 
successfull attack via chmod-777-write-exec procedure (from outside).

This patch is ment to prevent accidental DOS attacks by recursive inclusion 
(local users) and to in some degree prevent the execution of external code 
via GET/POST variable exploit (remote attack).

But though it is not a complete assessment of security risk it is a step 
towards right direction - one can apply it and start thinking about better 
solution/other risks etc.

regards,
Bostjan


On Wednesday 02 March 2005 20:09, Richard Lynch wrote:
> Bostjan Skufca @ domenca.com wrote:
> > From system security's standpoint:
> >
> >  > $content = file_get_contents('http://www.domain.net/file.inc');
> > echo $content;
> > ?>
> >
> > is OK, but
> >
> >  > include('http://www.domain.net/file.inc');
> > ?>
> >
> > is NOT!
> >
> > Nice patch, Tom, will probably use it myself too...
>
> I'll be interested to see if it works in practice...
> [see previous post of mine]
>
> Ya never know.
>
> I still haven't figured out why spam harvesters don't find even the
> simplest obfuscations like %40 and @
>
> But I guess if you come up with a billion fish every time you cast your
> line, you don't worry about buying better bait.
>
> I *suspect* this situation is different, in that you will have people
> actively trying to alter their attacks to bypass this blockage, and it's
> pretty simple to bypass.
>
> But, perhaps, it will turn out to be that there are so many unpatched
> wide-open places they can find that they'll never bother you again.
>
> I sure hope so, for your sake!
>
> --
> Like Music?
> http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements

2005-03-02 Thread Richard Lynch 
Bostjan Skufca @ domenca.com wrote:
> From system security's standpoint:
>
>  $content = file_get_contents('http://www.domain.net/file.inc');
> echo $content;
> ?>
>
> is OK, but
>
>  include('http://www.domain.net/file.inc');
> ?>
>
> is NOT!
>
> Nice patch, Tom, will probably use it myself too...

I'll be interested to see if it works in practice...
[see previous post of mine]

Ya never know.

I still haven't figured out why spam harvesters don't find even the
simplest obfuscations like %40 and @

But I guess if you come up with a billion fish every time you cast your
line, you don't worry about buying better bait.

I *suspect* this situation is different, in that you will have people
actively trying to alter their attacks to bypass this blockage, and it's
pretty simple to bypass.

But, perhaps, it will turn out to be that there are so many unpatched
wide-open places they can find that they'll never bother you again.

I sure hope so, for your sake!

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements

2005-03-02 Thread Bostjan Skufca @ domenca.com 
From system security's standpoint:

http://www.domain.net/file.inc');
echo $content;
?>

is OK, but

http://www.domain.net/file.inc');
?>

is NOT!

Nice patch, Tom, will probably use it myself too...

regards, 
Bostjan

On Wednesday 02 March 2005 11:54, Markus Mayer wrote:
> Correct me if I'm wrong, but isn't this already available in the standard
> PHP? In the php.ini file, you can refuse the inclusion of url's :
>   allow_url_fopen = Off
>
> I think also Hardened PHP offers additional similar protections.
>
> Markus
>
> On Wednesday 02 March 2005 08:57, Tom Z. Meinlschmidt wrote:
> > Hi,
> >
> > I've experienced a lot of attacks in my hosting server due to silly users
> > and their scripts with holes. So I prepared this little patch to 4.3.10,
> > which disables using url wrappers in
> > include/include_once/require/require_once statemens (switchable in
> > php.ini). See readme.security from patch
> >
> > patch is there:
> >
> > http://orin.meinlschmidt.org/~znouza/php_patch.txt
> >
> > comments are welcome
> >
> > /tom
> >
> > --
> > =
> >==  Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer &
> > NetCache gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID:
> > 66AB6F56 GCS d-(?) s: a- C++ ULHISC*$ P+++> L+++$> E--- W+++$
> > N++(+) !o !K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G
> > e>+++ h r+++ z+++@
> > =
> >== 

-- 
Best regards,

Bostjan Skufca
system administrator

Domenca d.o.o. 
Phone: +386 4 5835444
Fax: +386 4 5831999
http://www.domenca.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements

2005-03-02 Thread Markus Mayer 
Correct me if I'm wrong, but isn't this already available in the standard PHP?  
In the php.ini file, you can refuse the inclusion of url's : 
allow_url_fopen = Off

I think also Hardened PHP offers additional similar protections.

Markus

On Wednesday 02 March 2005 08:57, Tom Z. Meinlschmidt wrote:
> Hi,
>
> I've experienced a lot of attacks in my hosting server due to silly users
> and their scripts with holes. So I prepared this little patch to 4.3.10,
> which disables using url wrappers in
> include/include_once/require/require_once statemens (switchable in
> php.ini). See readme.security from patch
>
> patch is there:
>
> http://orin.meinlschmidt.org/~znouza/php_patch.txt
>
> comments are welcome
>
> /tom
>
> --
> ===
> Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer &
> NetCache gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID:
> 66AB6F56 GCS d-(?) s: a- C++ ULHISC*$ P+++> L+++$> E--- W+++$
> N++(+) !o !K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G
> e>+++ h r+++ z+++@
> ===
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements

2005-03-01 Thread Tom Z. Meinlschmidt 
Hi,

I've experienced a lot of attacks in my hosting server due to silly users and
their scripts with holes. So I prepared this little patch to 4.3.10, which
disables using url wrappers in include/include_once/require/require_once
statemens (switchable in php.ini). See readme.security from patch

patch is there:

http://orin.meinlschmidt.org/~znouza/php_patch.txt

comments are welcome

/tom

-- 
===
Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer & NetCache
gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID: 66AB6F56
GCS d-(?) s: a- C++ ULHISC*$ P+++> L+++$> E--- W+++$ N++(+) !o
!K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G e>+++
h r+++ z+++@
===

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php