[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixing stupid PHP application design flaws

On Thu, Apr 28, 2005 at 03:15:08PM +0200, Martin Schulze wrote:
> Hey!
> What do people on this list think about fixing PHP include files in a
> DSA that are accessible via HTTP as well and contain one bug or
> another as they are not supposed to be accessible via HTTP but
> accidently are.
> I'm rather annoyed by the lack of comptence of some PHP coders who
> manage their project in a way so that include files are stored within
> the regular DocumentRoot and are hencely accessible via HTTP as well.
> Include files normally also don't contain any precaution about being
> "executed" standalone.
> These files should not be accessible via HTTP in the first place but
> put into /usr/share/something instead and included from there.

I don't think that those include files are per definition a problem -- a
well-managed project will only ship 'stock' include files only
containing functions, whether the user gets to see the source of it, or
it's being executed, it doesn't hurt.

Of course, it's different if this is not the case (non-function stuff in
include files). I'd myself be inclined to advice to only fix those
cases where there might be a potential problem. A lot of PHP web
applications are designed by upstream to be simply untarreable in the
place where the URL is supposed to be, and as such have include files
necessarily http-accessible. It's sometimes hard for packagers to fix
this, and when the include fiels cannot do harm, I don't see why.

It'd be wise for those projects to take the extra precaution by allowing
(and the Debian maintainer to do so) include files outside the web root,
but to DSA for such a thing when there might not even be a vulnerability
at all, seems premature to me. It'd be like fixing all uses of sprintf
because the programmer could have used snprintf to be more sure there is
no problem.
> As examples see the following problems:
> CAN-2005-0459 - information disclosure in phpmyadmin

This is a non-vuln in Debian -- everyone who guesses the server runs
Debian (by default, apache discloses that), knows the exact webpath:
/usr/share/phpmyadmin. No surprise by leaking that (besides the fact
that hiding it is security by obscurity).

> CAN-2005-0870 - cross site scripting in phpsysinfo

Yeah, that can be a real problem, and would probably warrant a fix --
most non-disruptive would be to prevent non-main include protection (by
defining a constant in the main sites, and checking for that one in the
include files).

Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)

Reply to: