Date: Wed, 03 May 2006 20:30:12 +0200
From: Michael Schlenker <schlenk@...-oldenburg.de>
To: "Steven M. Christey" <coley@...re.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Dynamic Evaluation Vulnerabilities in PHP applications


Steven M. Christey schrieb:
> ------------------------------------------------------
> Dynamic Evaluation Vulnerabilities in PHP applications
> ------------------------------------------------------
> 
> Following is a brief introduction to a growing class of serious
> vulnerabilities in PHP applications.  They can allow execution of
> arbitrary code or arbitrary functions, or read/write access of
> arbitrary internal variables.
> 

> Note that these types of vulnerabilities are not unique to PHP.  Other
> interpreted languages can have similar issues.  For example, Perl,
> Python, and Javascript have eval functions.  A recent myspace XSS
> issue used eval injection in Javascript [1], and eval injection has
> been reported in some Python applications (CVE-2005-2483,
> CVE-2005-3302) and Perl (CVE-2002-1750, CVE-2003-0770, CVE-2005-1527,
> CVE-2005-2837).
> 
One advice for a lot of the eval based problems could also be to use a
better language/technology for task (if they really need eval at all, in
most cases eval is just the easy way to do things, not the best.)

Take a look at javas sandbox, or if you want to look at an interpreted
language at the Tcl safe interp functions which provide a safe sandbox
for evaluating user code things like this.
(see http://www.tcl.tk/man/tcl8.5/TclCmd/interp.htm )

Basically your telling PHP programmers to check their user provided
inputs, always good advice. If they really want to provide users the
power for code execution they should use a language or environment with
a proper sandbox.

Michael

Powered by blists - more mailing lists