2012/4/8, Yasuo Ohgaki:
> 2012/4/8 Ángel González <keis...@gmail.com>:
>> How does it help security?
>> If any, requiring '<?php' before executable code makes easier to filter
>> out malicious files on apps with uploads in case there's a local
>> inclusion vulnerability somewhere.
>>
> Attackers may inject PHP script almost anything/anywhere since
> PHP code may be embed anywhere in a file.
>
> For example, malicious PHP script may be in GIF something like
>
> gif89a ...any data.. <?php exec('rm -rf /') ?>
>
> and all attacker have to do is include/require the data somehow.
> Attacker cannot do that this for other languages, since they are
> not a embedded language. I know case that attackers may inject
> malicious perl/ruby script in data files, but PHP is too easy
> compare to these languages.
>
> Regards,
>
> --
> Yasuo Ohgaki
Yes, but if I properly check that there's no '<?php' in the uploaded files
(as you should verify everything you allow users to upload), it can't be
exploited.
OTOH if the vulnerable include is not an include but an include_code,
they could
use a file which was
> exec("rm -rf"); // Example of what not to do
And was happily uploaded as "plain text".-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
