Add whitelist support for php's wrappers

author: xXx-caillou-xXx 2018-08-27 13:56:44 +0200
committer: jvoisin 2018-08-27 11:56:44 +0000
commit: 096e7faa6a5e21e5416a7c8c484e27acd4636a66 (patch)
tree: 3dd11a05c4406280238459be917b8f47d22400f7 /doc/source
parent: 6abdd9abca50c92390b94fbebb3e7065d5d532da (diff)
2 files changed, 32 insertions, 0 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst
index 14626ce..e209ecb 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -191,6 +191,17 @@ disable_xxe
  sp.disable_xxe.enable();
+Whitelist of stream-wrappers
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+:ref:`Stream-wrapper whitelist <stream-wrapper-whitelist-feature>` allows
+to explicitly whitelist some `stream wrappers <https://secure.php.net/manual/en/intro.stream.php>`__.
+::
+  sp.wrappers_whitelist.list("file,php,phar");
 Eval white and blacklist
 ^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 60366d4..540e982 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -344,6 +344,27 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice
 would be to use a different user to run PHP than for administrating the website,
 and using this feature to lock this up.
+.. _stream-wrapper-whitelist-feature:
+Whitelist of stream-wrappers
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Php comes with a `lot of different <https://secure.php.net/manual/en/wrappers.php>`__
+`stream wrapper <https://secure.php.net/manual/en/intro.stream.php>`__, and most of them
+are enabled by default.
+The only way to tighten a bit this exposition surface is to use the
+`allow_url_fopen/allow_url_include <https://secure.php.net/manual/en/features.remote-files.php>`__
+configuration options, but it's `not possible <https://bugs.php.net/bug.php?id=50715>`__
+to deactivate them on an individual basis.
+Examples of related vulnerabilities
+"""""""""""""""""""""""""""""""""""
+- `RCE via phar:// <https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017>`__
+- `Data exfiltration via stream wrapper <https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/>`__
+- `Inclusion via zip/phar <https://lightless.me/archives/include-file-from-zip-or-phar.html>`__
 .. _eval-feature:
 White and blacklist in ``eval``
author	xXx-caillou-xXx	2018-08-27 13:56:44 +0200
committer	jvoisin	2018-08-27 11:56:44 +0000
commit	096e7faa6a5e21e5416a7c8c484e27acd4636a66 (patch)
tree	3dd11a05c4406280238459be917b8f47d22400f7 /doc/source
parent	6abdd9abca50c92390b94fbebb3e7065d5d532da (diff)

diff --git a/doc/source/config.rst b/doc/source/config.rst index 14626ce..e209ecb 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst
@@ -191,6 +191,17 @@ disable_xxe
191	sp.disable_xxe.enable();	191	sp.disable_xxe.enable();
192		192
193		193
		194	Whitelist of stream-wrappers
		195	^^^^^^^^^^^^^^^^^^^^^^^^^^^^
		196
		197	:ref:`Stream-wrapper whitelist <stream-wrapper-whitelist-feature>` allows
		198	to explicitly whitelist some `stream wrappers <https://secure.php.net/manual/en/intro.stream.php>`__.
		199
		200	::
		201
		202	sp.wrappers_whitelist.list("file,php,phar");
		203
		204
194	Eval white and blacklist	205	Eval white and blacklist
195	^^^^^^^^^^^^^^^^^^^^^^^^	206	^^^^^^^^^^^^^^^^^^^^^^^^
196		207


diff --git a/doc/source/features.rst b/doc/source/features.rst index 60366d4..540e982 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst
@@ -344,6 +344,27 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice
344	would be to use a different user to run PHP than for administrating the website,	344	would be to use a different user to run PHP than for administrating the website,
345	and using this feature to lock this up.	345	and using this feature to lock this up.
346		346
		347	.. _stream-wrapper-whitelist-feature:
		348
		349	Whitelist of stream-wrappers
		350	^^^^^^^^^^^^^^^^^^^^^^^^^^^^
		351
		352	Php comes with a `lot of different <https://secure.php.net/manual/en/wrappers.php>`__
		353	`stream wrapper <https://secure.php.net/manual/en/intro.stream.php>`__, and most of them
		354	are enabled by default.
		355
		356	The only way to tighten a bit this exposition surface is to use the
		357	`allow_url_fopen/allow_url_include <https://secure.php.net/manual/en/features.remote-files.php>`__
		358	configuration options, but it's `not possible <https://bugs.php.net/bug.php?id=50715>`__
		359	to deactivate them on an individual basis.
		360
		361	Examples of related vulnerabilities
		362	"""""""""""""""""""""""""""""""""""
		363
		364	- `RCE via phar:// <https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017>`__
		365	- `Data exfiltration via stream wrapper <https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/>`__
		366	- `Inclusion via zip/phar <https://lightless.me/archives/include-file-from-zip-or-phar.html>`__
		367
347	.. _eval-feature:	368	.. _eval-feature:
348		369
349	White and blacklist in ``eval``	370	White and blacklist in ``eval``