Bugtraq mailing list archives
Re: Dynamic Evaluation Vulnerabilities in PHP applications
From: Michael Schlenker <schlenk () uni-oldenburg de>
Date: Wed, 03 May 2006 20:30:12 +0200
Steven M. Christey schrieb:
------------------------------------------------------ Dynamic Evaluation Vulnerabilities in PHP applications ------------------------------------------------------ Following is a brief introduction to a growing class of serious vulnerabilities in PHP applications. They can allow execution of arbitrary code or arbitrary functions, or read/write access of arbitrary internal variables.
Note that these types of vulnerabilities are not unique to PHP. Other interpreted languages can have similar issues. For example, Perl, Python, and Javascript have eval functions. A recent myspace XSS issue used eval injection in Javascript [1], and eval injection has been reported in some Python applications (CVE-2005-2483, CVE-2005-3302) and Perl (CVE-2002-1750, CVE-2003-0770, CVE-2005-1527, CVE-2005-2837).
One advice for a lot of the eval based problems could also be to use a better language/technology for task (if they really need eval at all, in most cases eval is just the easy way to do things, not the best.) Take a look at javas sandbox, or if you want to look at an interpreted language at the Tcl safe interp functions which provide a safe sandbox for evaluating user code things like this. (see http://www.tcl.tk/man/tcl8.5/TclCmd/interp.htm ) Basically your telling PHP programmers to check their user provided inputs, always good advice. If they really want to provide users the power for code execution they should use a language or environment with a proper sandbox. Michael
Current thread:
- Dynamic Evaluation Vulnerabilities in PHP applications Steven M. Christey (May 03)
- Re: Dynamic Evaluation Vulnerabilities in PHP applications Michael Schlenker (May 04)