2012/4/8, Yasuo Ohgaki: > 2012/4/8 Ángel González <keis...@gmail.com>: >> How does it help security? >> If any, requiring '<?php' before executable code makes easier to filter >> out malicious files on apps with uploads in case there's a local >> inclusion vulnerability somewhere. >> > Attackers may inject PHP script almost anything/anywhere since > PHP code may be embed anywhere in a file. > > For example, malicious PHP script may be in GIF something like > > gif89a ...any data.. <?php exec('rm -rf /') ?> > > and all attacker have to do is include/require the data somehow. > Attacker cannot do that this for other languages, since they are > not a embedded language. I know case that attackers may inject > malicious perl/ruby script in data files, but PHP is too easy > compare to these languages. > > Regards, > > -- > Yasuo Ohgaki Yes, but if I properly check that there's no '<?php' in the uploaded files (as you should verify everything you allow users to upload), it can't be exploited. OTOH if the vulnerable include is not an include but an include_code, they could use a file which was > exec("rm -rf"); // Example of what not to do And was happily uploaded as "plain text".
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php