On Mon, Apr 6, 2009 at 12:47 AM, Brian Williams <[email protected]> wrote: > > if his code had read: > > error_log(__FUNCTION__ . "($username): called.", 3, $log_file); > > I wouldn't have made any comment at all. > > If the backticked code were not in double quotes it would be executed and > the resulting output of the backticked code would be recorded to the log. >
Brian, This is not true. I tested what was discussed in this thread and here are the results. (1) If an attacker submits the following as the $username: `touch /tmp/fooooo` This will be outputted to the logfile: check_username(`touch /tmp/fooooo`): called. The attacker's input is not executed. It is treated as a string. (2) If an attacker submits the following as the $username: <?php `touch /tmp/fooooo` ?> This will be outputted to the logfile: check_username(<?php `touch /tmp/fooooo` ?>): called. The attacker's input is not executed. It is treated as a string. Only if I process the logfile with php -f <logfile> will the code in (2) actually execute. The code in (1) won't even run since it's outside the <?php ?> tags, but that's a minor point. Paul raises a good question about log processing software that might interpret and run the code....it seems that's where the real problem lies. Konstantin Rozinov _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
