PHP blamed for security problems

But if you include remote files via HTTP, then you are making a
HTTP request. You can't include source code from another server
because the HTTP response will not pass the code, only the output
from the code.

"Phil Roberts" <ph*****@HOLYfl atnetSHIT.net> wrote in message
news:Xn******** *************** **@216.196.97.1 32...
True it will not include the source, but only the output, you can write a
php script to output valid code.

an example would be:

<?php
print "<?php\n";
print "// do some evil here\n";
print "?>\n";
?>

And who's to blame for that? The php script? Or the sysadmin that gives
to many rights to the user that is running apache?

Tim Van Wassenhove <eu**@pi.be> wrote:

And who's to blame for that? The php script? Or the sysadmin that gives
to many rights to the user that is running apache?

I'd say the person who wrote the script, not the administrator. It
seems common sense to me that you wouldn't include a file comming in
from hostile input w/out very careful consideration, if you must
do it, make sure the file exists where you think it ought to, fits
within the boundaries of a carefully constructed regex etc.. (or
use a table-lookup approach that only allows files/urls that are
predetermined.)

The best bet is simply not to include anything from hostile input in the
first place. Every modern guide, book or tutorial I know of will tell you
not to be careless with user input, so I wouldn't blame PHP for it.

If the script is used to actually gain root access, then I'd either
blame the admin, the application that was exploited (setID executable
probably) or the OS itself, depending on how the system was compromised.
UNIX machines are supposed to be secure, with multiple users having
shell access. Damages should be limited to whatever userID was running
the script.

I feel kind of sorry for the user because he/she may have contracted out
the job, I would hope they'd get their money back at any rate!

Actually, better to not blame anyone, but learn from it. (and if you
were the programmer, do something to try & make up for the damages.)

Jamie

At a previous ISP -- who also was hosted my web site -- I noticed
one day that files I created/updated in PHP were assigned the
ownerid of ---- *me* -- my logonid for the hosting machine!
Crap!! I was also trying to use some secure (userid:passwor d)
http access to some things inside my account -- using file
ownerships to control access to some data.
I pointed this out to the 'web master', and asked "Why!?".
I never got a reply, but several days later I noticed the PHP
program(s) were no longer creating files with owner: my-userid.
Instead, they were ownerid: *root* !!! Geez-Zuss!!!
I moved my account(s) the next day.

Blame the design and programmers---not the PHP.

In India, we can file a case against anyone who damage one's name
with a kind of hoax. I don't know, whether we should take some efforts
to sue such people who intentionally damage PHP instead of blaming the
design and programmers.

On 2004-03-16, Tim Tyler <ti*@tt1lock.or g> wrote:

Here's what this morning's security advisory read here:
``Recently, we've seen an increase in malicious activity on
our servers, caused by hackers who have successfuly gained
shell access via insecure PHP scripts.

And who's to blame for that? The php script? Or the sysadmin that gives
to many rights to the user that is running apache?

Maybe php could prevent the usage of include(...) from a $_GET/$_POST but
how can that really be enforced...
By not running code taken from remote machines, perhaps?
I have been wanting to write an app for some times that go thru php scripts
and flags possible security risks. I don't know if i really have the time
to.

Tim Van Wassenhove <eu**@pi.be> wrote or quoted:

On 2004-03-16, Tim Tyler <ti*@tt1lock.or g> wrote:

> Here's what this morning's security advisory read here:
> ``Recently, we've seen an increase in malicious activity on
> our servers, caused by hackers who have successfuly gained
> shell access via insecure PHP scripts.

And who's to blame for that? The php script? Or the sysadmin that gives
to many rights to the user that is running apache?

Giving even rather minimal rights will allow the manipulation of files
on the server. The hacker is likely to be able to recover the system
password file and run it through a password cracker. In many cases,
this will be enough for them to make quite a mess - e.g. by using
compromised accounts to relay spam.

On 2004-03-18, Tim Tyler <ti*@tt1lock.or g> wrote:

Tim Van Wassenhove <eu**@pi.be> wrote or quoted:

On 2004-03-16, Tim Tyler <ti*@tt1lock.or g> wrote: > Here's what this morning's security advisory read here:
> ``Recently, we've seen an increase in malicious activity on
> our servers, caused by hackers who have successfuly gained
> shell access via insecure PHP scripts.

And who's to blame for that? The php script? Or the sysadmin that gives
to many rights to the user that is running apache?

Giving even rather minimal rights will allow the manipulation of files
on the server. The hacker is likely to be able to recover the system
password file and run it through a password cracker. In many cases,
this will be enough for them to make quite a mess - e.g. by using
compromised accounts to relay spam.

Imho the one to blame for should be the sysadmin for not using shadow
passwords. [...]