NYCPHP Meetup

[Konstantin Rozinov]

On Mon, Apr 6, 2009 at 12:47 AM, Brian Williams <brianw1975 at gmail.com> wrote:
>
> if his code had read:
>
> error_log(__FUNCTION__ . "($username): called.", 3, $log_file);
>
> I wouldn't have made any comment at all.
>
> If the backticked code were not in double quotes it would be executed and
> the resulting output of the backticked code would be recorded to the log.
>

Brian,

This is not true.  I tested what was discussed in this thread and here
are the results.

(1)
If an attacker submits the following as the $username: `touch /tmp/fooooo`
This will be outputted to the logfile: check_username(`touch
/tmp/fooooo`): called.
The attacker's input is not executed.  It is treated as a string.

(2)
If an attacker submits the following as the $username: <?php `touch
/tmp/fooooo` ?>
This will be outputted to the logfile: check_username(<?php `touch
/tmp/fooooo` ?>): called.
The attacker's input is not executed.  It is treated as a string.

Only if I process the logfile with php -f <logfile> will the code in
(2) actually execute.
The code in (1) won't even run since it's outside the <?php ?> tags,
but that's a minor point.

Paul raises a good question about log processing software that might
interpret and run the code....it seems that's where the real problem
lies.

Konstantin Rozinov