There are parts of PHP we all know very well, which are obviously bad. preg_replace, for example, has an option to execute code that you pass into it. This is obviously terrible design. Only an evil alien would have designed that feature into a language that way.
But there are other, more subtle features. The weird way they handle "filters" is diabolical. Exactly how you use this to take control of a PHP app means that the attack surface is in a way somewhat counterintuitive to a normal C/C++ auditor. That's why, even if you are a GOOD auditor you should still take our PHP auditing class July 24th and 25th in Columbia MD. It is not just about tracking input to bad functions. That part is given. It's about understanding the insane transforms that are possible in PHP - it is like you are playing Portal, but with data input that eventually will get your remote code execution. In any case, email [email protected] to sign up. It is worth FLYING TO COLUMBIA MD for! :> And, in case you were one of the people to miss out on INFILTRATE altogether, I want to highlight another released video of a talk. Sue's talk was spectacular I thought, and now everyone can see it! http://vimeo.com/98215525 (Note: You can also email [email protected] to sign up for next year's INFILTRATE. :>) -dave
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
