Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: SANS PHP Port Scanner Remote Code Execution
From: Christian Sciberras <uuf6429 () gmail com>
Date: Wed, 6 Mar 2013 13:57:56 +0100

Ulisses,

No, I'm blaming developers that are not in the field of security for this
mess.

Chris.


On Wed, Mar 6, 2013 at 1:10 PM, Ulisses Montenegro <
ulisses.montenegro () gmail com> wrote:

Christian

If you're reading my email as "it's the developers' fault", then you got
it wrong -- I've been a developer for most of my life. And while things
have gotten better in the last years, there are still tons of "build your
blog 15 minutes" or "develop a twiiter clone in 2h"
tutorials/advertisements for various platforms and languages out there
which either assume security is a non-issue, or assume the
platform/language will take care of it for you.

Heck, the manpages for some libc functions on non-GNU platforms still show
vulnerable code in examples. perldoc is riddled with code that is just
enough to show how a given function should be used, but with no validation
whatsoever. I remember reading the training material for an Oracle product
(sorry, I really can't recall the name) which touted being able to have the
application security handled by infrastructure/middleware componentes as a
desirable feature.

So while I'd agree that we are getting better at this, we're still far
from ideal. The canonical "hello world" for most languages/platforms out
there, in most cases, still does not make explicit references to security
issues.


On Wed, Mar 6, 2013 at 8:49 AM, Christian Sciberras <uuf6429 () gmail com>wrote:

The article actually recommends looking for information from
www.w3schools.com <http://www.w3fools.com>?!

Here's a few other obviously missing things:
- script requires input but does not check for it (very bad PHP practice)
- what the hell is with that code? Ever heard about indentation?
- there should be some very basic sanitization; ints be ints and strings
be strings
- hiding all errors, that was a very smart thing to do....
- early 20's html and css coding style to boot

Regarding the tool itself, obviously it's not meant to be used publicly,
hence why I could close my eye in this respect.

UIlisses, developers already do this. Actually, they've been doing it for
quite some time.
Perhaps the "security experts" writing tutorials as in that article
should follow?


On Wed, Mar 6, 2013 at 11:55 AM, Dan Ballance <tzewang.dorje () gmail com>wrote:

+1
On 6 Mar 2013 10:41, "Ulisses Montenegro" <ulisses.montenegro () gmail com>
wrote:

Not including proper input validation and error handling in code
samples is one of the most common and harmful practices in the software
development industry -- doing it is not "optional" or "advanced", it is
mandatory unless you want to be pwned.

Developers need to start doing things properly from the very beginning,
as habits become harder and harder to change with experience.


On Wed, Mar 6, 2013 at 7:33 AM, Benji <me () b3nji com> wrote:

Actually, adding input sanitisation really wouldnt increase the code
size that much. Are you just incompetent?


On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz <gauri () tut by>wrote:

Dear list,

Well, I suppose this had to be a proof-of-concept piece of code to
demonstrate how port scanning can be done in PHP, not a production-grade
software. Adding input sanitization would increase the code size by a lot
and obscure the concept somewhat (not that there is much to be said anout
the concept though). Think we can give the dude some discount for that.

Nevertheless, seeing something like this coming from "Certified
Ethical Hacker and Security + certified" makes me doubt the worthness of
those certificates. Could be nice to know the exact naming of those
certificates to properly disregard them in the future.

With best regards,
Z.

2013/3/6 laurent gaffie <laurent.gaffie () gmail com>


http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/

Finding the vulnerability in this code is left as an exercise to the
reader.

PS: "*Your comment will be awaiting moderation forever."*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
“If debugging is the process of removing software bugs, then
programming must be the process of putting them in.” - *Edsger Dijkstra
*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





--
“If debugging is the process of removing software bugs, then programming
must be the process of putting them in.” - *Edsger Dijkstra*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]