Add whitelist support for php's wrappers

author: xXx-caillou-xXx 2018-08-27 13:56:44 +0200
committer: jvoisin 2018-08-27 11:56:44 +0000
commit: 096e7faa6a5e21e5416a7c8c484e27acd4636a66 (patch)
tree: 3dd11a05c4406280238459be917b8f47d22400f7 /doc/source/features.rst
parent: 6abdd9abca50c92390b94fbebb3e7065d5d532da (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 60366d4..540e982 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -344,6 +344,27 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice
 would be to use a different user to run PHP than for administrating the website,
 and using this feature to lock this up.
+.. _stream-wrapper-whitelist-feature:
+Whitelist of stream-wrappers
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Php comes with a `lot of different <https://secure.php.net/manual/en/wrappers.php>`__
+`stream wrapper <https://secure.php.net/manual/en/intro.stream.php>`__, and most of them
+are enabled by default.
+The only way to tighten a bit this exposition surface is to use the
+`allow_url_fopen/allow_url_include <https://secure.php.net/manual/en/features.remote-files.php>`__
+configuration options, but it's `not possible <https://bugs.php.net/bug.php?id=50715>`__
+to deactivate them on an individual basis.
+Examples of related vulnerabilities
+"""""""""""""""""""""""""""""""""""
+- `RCE via phar:// <https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017>`__
+- `Data exfiltration via stream wrapper <https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/>`__
+- `Inclusion via zip/phar <https://lightless.me/archives/include-file-from-zip-or-phar.html>`__
 .. _eval-feature:
 White and blacklist in ``eval``
author	xXx-caillou-xXx	2018-08-27 13:56:44 +0200
committer	jvoisin	2018-08-27 11:56:44 +0000
commit	096e7faa6a5e21e5416a7c8c484e27acd4636a66 (patch)
tree	3dd11a05c4406280238459be917b8f47d22400f7 /doc/source/features.rst
parent	6abdd9abca50c92390b94fbebb3e7065d5d532da (diff)

diff --git a/doc/source/features.rst b/doc/source/features.rst index 60366d4..540e982 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst
@@ -344,6 +344,27 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice
344	would be to use a different user to run PHP than for administrating the website,	344	would be to use a different user to run PHP than for administrating the website,
345	and using this feature to lock this up.	345	and using this feature to lock this up.
346		346
		347	.. _stream-wrapper-whitelist-feature:
		348
		349	Whitelist of stream-wrappers
		350	^^^^^^^^^^^^^^^^^^^^^^^^^^^^
		351
		352	Php comes with a `lot of different <https://secure.php.net/manual/en/wrappers.php>`__
		353	`stream wrapper <https://secure.php.net/manual/en/intro.stream.php>`__, and most of them
		354	are enabled by default.
		355
		356	The only way to tighten a bit this exposition surface is to use the
		357	`allow_url_fopen/allow_url_include <https://secure.php.net/manual/en/features.remote-files.php>`__
		358	configuration options, but it's `not possible <https://bugs.php.net/bug.php?id=50715>`__
		359	to deactivate them on an individual basis.
		360
		361	Examples of related vulnerabilities
		362	"""""""""""""""""""""""""""""""""""
		363
		364	- `RCE via phar:// <https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017>`__
		365	- `Data exfiltration via stream wrapper <https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/>`__
		366	- `Inclusion via zip/phar <https://lightless.me/archives/include-file-from-zip-or-phar.html>`__
		367
347	.. _eval-feature:	368	.. _eval-feature:
348		369
349	White and blacklist in ``eval``	370	White and blacklist in ``eval``