Hi Christoph, On Wed, Feb 11, 2015 at 10:45 AM, Christoph Becker <cmbecke...@gmx.de> wrote:
> > We have been tried to educate users already and introduced some > > mitigations e.g. allow_url_include, open_basedir. > > > > However, enough time is passed to prove that wasn't enough, isn't it? > > > > PHP (many and these are _only_ few of them in the wild) > > > http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_exploit_text=inclusion&filter_port=0&filter_osvdb=&filter_cve= > > I've arbitrarily checked the top most entry (u5CMS), and the LFI was > caused by `echo file_get_contents($_GET['...'])` basically. There was > neither include|require(_once) involved, nor move_uploaded_file(). From > my, admittedly very limited, experience, this is a rather common source > of LFI vulnerabilities in PHP applications. I'm afraid that educating > developers is the only way to avoid this kind of vulnerability. It's not my point. These are only surface of them as you can see it contains only open source project's vulnerabilities. Script inclusion is common by evidence, unlike others. This is what I'm trying to change. Are PHP programmers are worse than others? I don't think they are. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
