Bugtraq: Re: Dynamic Evaluation Vulnerabilities in PHP applications

[Michael Schlenker <schlenk () uni-oldenburg de>]

Steven M. Christey schrieb:
> ------------------------------------------------------
> Dynamic Evaluation Vulnerabilities in PHP applications
> ------------------------------------------------------
>
> Following is a brief introduction to a growing class of serious
> vulnerabilities in PHP applications.  They can allow execution of
> arbitrary code or arbitrary functions, or read/write access of
> arbitrary internal variables.
> Note that these types of vulnerabilities are not unique to PHP.  Other
> interpreted languages can have similar issues.  For example, Perl,
> Python, and Javascript have eval functions.  A recent myspace XSS
> issue used eval injection in Javascript [1], and eval injection has
> been reported in some Python applications (CVE-2005-2483,
> CVE-2005-3302) and Perl (CVE-2002-1750, CVE-2003-0770, CVE-2005-1527,
> CVE-2005-2837).
One advice for a lot of the eval based problems could also be to use a
better language/technology for task (if they really need eval at all, in
most cases eval is just the easy way to do things, not the best.)

Take a look at javas sandbox, or if you want to look at an interpreted
language at the Tcl safe interp functions which provide a safe sandbox
for evaluating user code things like this.
(see http://www.tcl.tk/man/tcl8.5/TclCmd/interp.htm )

Basically your telling PHP programmers to check their user provided
inputs, always good advice. If they really want to provide users the
power for code execution they should use a language or environment with
a proper sandbox.

Michael