| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Jan 2011 12:26:44 +0300 From: Владимир Воронцов <vladimir.vorontsov@...ec.ru> To: Christian Sciberras <uuf6429@...il.com> Cc: Full disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Oddities of PHP file access in Windows (R). Cheat-sheet [maybe 0day] Hello Chris, This article is written in order to emphasize the need to verify your user information, such as file names. Unfortunately, in our practice (mainly in Russia) of study of web applications, such meets are not always. I am very glad that all your applications are well protected! But also keep in mind that the vulnerability much more than meets the eye ... On Wed, 12 Jan 2011 10:11:08 +0100, Christian Sciberras <uuf6429@...il.com> wrote: > Yay, another PHP bashing paper. *cool* > > Sarcasm aside, this is all the more reason why one should validate/filter > user input. > The paper's details are new to me, however, as a web developer I can > confidently say that my filename-management-related routines are completely > safe against this attack. > Why? Because special characters such as those mentioned in the paper (which > by the way, aren't valid filename characters), are replaced be a legal and > safe alternative (such as a dash or underscore). > > We can blame PHP's magic. Then again you can blame C and C++'s pointer > magic > is the biggest security bug ever. > > Or you can blame the human factor behind the end, defective, product. > > Either-case, interesting study. My only complaint? Keep uninformed opinion > to yourself next time though, it only dirties you arguments. > > Cheers, > Chris. > > > > On Wed, Jan 12, 2011 at 9:59 AM, Владимир Воронцов < > vladimir.vorontsov@...ec.ru> wrote: > >> Hello Full-Disclosure! >> >> Abstract >> Notorious web development language, PHP, is under constant watch of the >> hackers, security >> researchers and other persons who just love to tinker around some stuff. >> Numerous vulnerabilities and >> bugs of PHP interpreter regularly highlights bug-tracks, wakes up >> administrators and burdens the minds >> of web site owners. And we never can know what nifty tricks PHP >> interpreter had reserved for our next >> day. In this paper we will describe details about how PHP treats file >> names on Windows operating >> systems, regarding the presence of different fuzzy characters >> >> Original English article: http://onsec.ru/onsec.whitepaper-02.eng.pdf >> >> -- >> Best regards, >> Vladimir Vorontsov >> ONsec security expert >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> -- Best regards, Vladimir Vorontsov ONsec security expert _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists