Why does PHP security fail?

registered · Posted: Sat Feb 13, 2010 3:42 pm

So you can disable stuff in PHP and many hosts just do that because they think it's safe.
Guess what: it's not!

First there was safe_mode but it still allowed you to upload files and... After saving you couldn't delete the files anymore which makes it a bigger security hole.
It finally is gone in PHP v6

Then there is allow_url_fopen=false which disables include/require/fopen to open uri's. I proved you can work around this using your own stream wrapper.

You ever heard of suhosin and suphp?
Well if you do, you may know you can disable the eval() language construct.
It's a shame you can workaround this as well using a stream wrapper.
Just create a wrapper class and then include!

Code:

class eval_stream


{


   private $data = '';


   private $datapos = 0;


   private $datalen = 0;


   private $options;





   # bool stream_open ( string path, string mode, int options, string opened_path )


   public function stream_open($path, $mode, $options, $opened_path)


   {


      if (!preg_match('#^[a-z\-+]+://([0-9a-zA-Z\+/=]+)#', $path, $match)) { return false; }


      $this->data = base64_decode($match[1]);


      $this->datalen = strlen($this->data);


      $this->options = $options;


      return true;


   }


   public function stream_close() { }


   public function stream_eof() { return $this->datapos>=$this->datalen; }


   public function stream_read($bytes)


   {


      if ($this->stream_eof()) { return ''; }


      $r = substr($this->data, $this->datapos, $bytes);


      $this->datapos += strlen($r);


      return $r;


   }


   public function stream_write($data) { return 0; }


   public function stream_stat() { return false; }


   public function url_stat($path, $flags) { return false; }


   private function error($msg)


   {


      if ($this->options & STREAM_REPORT_ERRORS) { trigger_error($msg, E_USER_WARNING); }


      return false;


   }


}





stream_wrapper_register('eval', 'eval_stream');


include('eval://'.base64_encode('<?php var_dump($_SERVER); ?>'));

More and more workarounds will appear when scared incapable hosts keep disabling stuff.
What does that say at the end?

The death of a great language?

What are your thoughts?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

DJMaze wrote:

The death of a great language?

Never!

DJMaze wrote:

More and more workarounds will appear when scared incapable hosts keep disabling stuff.
What does that say at the end?

Hosts need to be smarter Wink

. And I believe many are getting smarter. However, you are making a very good point. Vigilance (maybe even hyper-vigilance?) is required on the part of the user. However, this probably won't be near enough as Windows has been around much longer than PHP and Windows is still being (cr/h)acked.

There are different ways of getting around eval() as are pointed out HERE. But that's not the point you're trying to make. My thoughts, basically, are that (cr/h)acking will continue, as well as work-arounds, long after my demise Wink

, so I will continue as long as I can to slay those windmills!