On Aug 22 2024, at 4:09 am, Rob Landers <rob@bottled.codes> wrote:
>
> If you have the ability to inject arbitrary code, you've already lost. It
> doesn't matter whether they use this feature, or just register a shutdown
> function, autoloader, replace classes/functions/methods entirely, or
> whatever. Should we remove those features as well?
I think it's a fallacy to claim "well if they got this far the game is over"
when it comes to application security. There are a million ways an attacker
could use this feature to covertly gain access to things like passwords before
they are encrypted, etc. that would enable lateral movement within an
organization that otherwise they might have difficulty achieving even with RCE
in a properly locked down system (e.g. PHP doesn't have the ability to write to
the filesystem / overwrite existing classes, etc.)
Regarding the subject at hand I've made my case here and we can agree to
disagree -- changing the function lookup order is an easy win with security
benefits and, according to Ilija, performance benefits. I think it should be
seriously considered.
John
