Comments for the Month of PHP Security http://php-security.org "improving the security of the PHP ecosystem" Tue, 01 Jun 2010 13:59:11 +0000 http://wordpress.org/?v=2.9.2 hourly 1 Comment on Article: Virtual Meta-Scripting Bytecode for PHP and JavaScript by Artur Ejsmont http://php-security.org/2010/05/31/article-virtual-meta-scripting-bytecode-for-php-and-javascript/comment-page-1/#comment-15 Artur Ejsmont Tue, 01 Jun 2010 13:59:11 +0000 http://php-security.org/?p=396#comment-15 Sorry to say that but im really not convinced. <br><br>Security by obscurity is not the way to go as i see it (its just my personal opinion). I guess it can be added as extra measure but there are tons of complications on the way with project like this. To name a few You hit performance, cross browser and cross platform barriers, obfuscation will introduce errors which will be very difficult to spot. You have to learn/use yet another syntax/tool with all its tricks and pitfalls etc.<br><br>I think i would not be comfortable to use such tool unless its a huge project lead by zend or so : )<br><br>The idea that sounds interesting though is to have a interpreter or VM (whatever) to have same script ran in JS and PHP for simple things like form validation etc. You can have a look at DWR for java ... its quite nice.<br><br>Art Sorry to say that but im really not convinced.

Security by obscurity is not the way to go as i see it (its just my personal opinion). I guess it can be added as extra measure but there are tons of complications on the way with project like this. To name a few You hit performance, cross browser and cross platform barriers, obfuscation will introduce errors which will be very difficult to spot. You have to learn/use yet another syntax/tool with all its tricks and pitfalls etc.

I think i would not be comfortable to use such tool unless its a huge project lead by zend or so : )

The idea that sounds interesting though is to have a interpreter or VM (whatever) to have same script ran in JS and PHP for simple things like form validation etc. You can have a look at DWR for java … its quite nice.

Art

]]> Comment on MOPS-2010-035: e107 BBCode Remote PHP Code Execution Vulnerability by stefanesser http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/comment-page-1/#comment-14 stefanesser Fri, 21 May 2010 16:34:53 +0000 http://php-security.org/?p=282#comment-14 First of all: <a href="mailto:security@e107.org" rel="nofollow">security@e107.org</a> was contacted BEFORE the release of the RCE vulnerability, but no reply from there yet.<br><br>And sorry last time I checked e107 was written by the e107 developers and not by me. Therefore I don't see how I am responsible for the vulnerabilities implemented in e107.<br><br>Developers have to realise that the disclosed vulnerabilities were found by me in very short time. Therefore it is unlikely that I am the first who found it. It is more likely that both vulnerabilities are known to several people in the "underground" for a long time and are already used to takeover e107 installations. <br><br>Aside from that the advisory clearly tells uses to disable the [php] bbcode completely by editing the php.bb file. Of course the better recommendation for people would be to use a secure CMS in the first place, but users of e107 need a quick fix.<br><br>That said it was YOU the e107 developers that put users at risk by implementing something dangerous and stupid as the [php] bbcode in the first place. First of all: security@e107.org was contacted BEFORE the release of the RCE vulnerability, but no reply from there yet.

And sorry last time I checked e107 was written by the e107 developers and not by me. Therefore I don't see how I am responsible for the vulnerabilities implemented in e107.

Developers have to realise that the disclosed vulnerabilities were found by me in very short time. Therefore it is unlikely that I am the first who found it. It is more likely that both vulnerabilities are known to several people in the “underground” for a long time and are already used to takeover e107 installations.

Aside from that the advisory clearly tells uses to disable the [php] bbcode completely by editing the php.bb file. Of course the better recommendation for people would be to use a secure CMS in the first place, but users of e107 need a quick fix.

That said it was YOU the e107 developers that put users at risk by implementing something dangerous and stupid as the [php] bbcode in the first place.

]]> Comment on MOPS-2010-035: e107 BBCode Remote PHP Code Execution Vulnerability by Miroslav Yovchev http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/comment-page-1/#comment-13 Miroslav Yovchev Fri, 21 May 2010 15:31:50 +0000 http://php-security.org/?p=282#comment-13 I personally can't see a reason why you are posting vulnerabilities without to give details and time in advance to development team of the affected application. You are putting at risk a lot of people. I personally can't see a reason why you are posting vulnerabilities without to give details and time in advance to development team of the affected application. You are putting at risk a lot of people.

]]> Comment on MOPS Submission 06: Variable Initialization in PHP by Oliver http://php-security.org/2010/05/17/mops-submission-06-variable-initialization-in-php/comment-page-1/#comment-10 Oliver Tue, 18 May 2010 02:45:24 +0000 http://php-security.org/?p=273#comment-10 I'd love to see PHP changing the scope of variables, e.g. a variable declared inside a statement (or any block really) should be out of scope outside of that block.<br>This way you wouldn't need any notices, the code just wouldn't work, but would be very easy to fix. I'd love to see PHP changing the scope of variables, e.g. a variable declared inside a statement (or any block really) should be out of scope outside of that block.
This way you wouldn't need any notices, the code just wouldn't work, but would be very easy to fix.

]]> Comment on MOPS Submission 06: Variable Initialization in PHP by cdamian http://php-security.org/2010/05/17/mops-submission-06-variable-initialization-in-php/comment-page-1/#comment-11 cdamian Mon, 17 May 2010 20:31:50 +0000 http://php-security.org/?p=273#comment-11 In the first examples I would avoid the whole problem by directly assigning to the variable:<br><br>$auth = authUser($_POST["login"], $_POST["password"]);<br><br>Missing assignments can also spotted quiet easy if you have enough tests with good code coverage. In the first examples I would avoid the whole problem by directly assigning to the variable:

$auth = authUser($_POST["login"], $_POST["password"]);

Missing assignments can also spotted quiet easy if you have enough tests with good code coverage.

]]> Comment on MOPS Submission 06: Variable Initialization in PHP by wellingtonrodrigues http://php-security.org/2010/05/17/mops-submission-06-variable-initialization-in-php/comment-page-1/#comment-12 wellingtonrodrigues Mon, 17 May 2010 19:56:00 +0000 http://php-security.org/?p=273#comment-12 Greetings,<br><br>Very cool your article but for matters of authentication would be much safer to carry the validity of the authentication session.<br><br>Best regards,<br><br>Wellington Rodrigues<br>PHP Programmer Brazil Greetings,

Very cool your article but for matters of authentication would be much safer to carry the validity of the authentication session.

Best regards,

Wellington Rodrigues
PHP Programmer Brazil

]]> Comment on Article: Decoding a User Space Encoded PHP Script by Jesse http://php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/comment-page-1/#comment-7 Jesse Mon, 17 May 2010 12:29:37 +0000 http://php-security.org/?p=246#comment-7 hehe, I want to know the answer too.<br>However, when I put the encrypted php into windows, it works well and output "hello world".<br>It just doesn't work at my linux box. IMO, this might be caused by locale environment.<br>Sorry to bother you. hehe, I want to know the answer too.
However, when I put the encrypted php into windows, it works well and output “hello world”.
It just doesn't work at my linux box. IMO, this might be caused by locale environment.
Sorry to bother you.

]]> Comment on Article: Decoding a User Space Encoded PHP Script by stefanesser http://php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/comment-page-1/#comment-6 stefanesser Mon, 17 May 2010 12:16:53 +0000 http://php-security.org/?p=246#comment-6 I am not sure how you download the files and how you execute them. However the error you describe always happens when the unprintable characters in the PHP script gets destroyed. I am not sure how you download the files and how you execute them. However the error you describe always happens when the unprintable characters in the PHP script gets destroyed.

]]> Comment on Article: Decoding a User Space Encoded PHP Script by Jesse http://php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/comment-page-1/#comment-5 Jesse Mon, 17 May 2010 12:13:58 +0000 http://php-security.org/?p=246#comment-5 Well, I came to <a href="http://php-crypt.com" rel="nofollow">php-crypt.com</a>, and downloadd the encrypted "hello world" like below<br><?php<br>echo "hello world";<br>?><br>But the error still occurs, here is the screenshot i39.tinypic.com/1pc7yq.jpg<br>Regards,<br>Jesse Well, I came to php-crypt.com, and downloadd the encrypted “hello world” like below
<?php
echo “hello world”;
?>
But the error still occurs, here is the screenshot i39.tinypic.com/1pc7yq.jpg
Regards,
Jesse

]]> Comment on Article: Decoding a User Space Encoded PHP Script by stefanesser http://php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/comment-page-1/#comment-9 stefanesser Mon, 17 May 2010 11:46:53 +0000 http://php-security.org/?p=246#comment-9 This does not work for you because the encoded PHP contains a bunch of non printable characters that cannot be displayed in the HTML. Therefore your copy of the script is incomplete. If you want to reproduce this test you have to go to <a href="http://php-crypt.com" rel="nofollow">php-crypt.com</a> and encode your own demo script. This does not work for you because the encoded PHP contains a bunch of non printable characters that cannot be displayed in the HTML. Therefore your copy of the script is incomplete. If you want to reproduce this test you have to go to php-crypt.com and encode your own demo script.

]]>