Re: SANS PHP Port Scanner Remote Code Execution

[Ulisses Montenegro <ulisses.montenegro () gmail com>]

Christian

If you're reading my email as "it's the developers' fault", then you got it
wrong -- I've been a developer for most of my life. And while things have
gotten better in the last years, there are still tons of "build your blog
15 minutes" or "develop a twiiter clone in 2h" tutorials/advertisements for
various platforms and languages out there which either assume security is a
non-issue, or assume the platform/language will take care of it for you.

Heck, the manpages for some libc functions on non-GNU platforms still show
vulnerable code in examples. perldoc is riddled with code that is just
enough to show how a given function should be used, but with no validation
whatsoever. I remember reading the training material for an Oracle product
(sorry, I really can't recall the name) which touted being able to have the
application security handled by infrastructure/middleware componentes as a
desirable feature.

So while I'd agree that we are getting better at this, we're still far from
ideal. The canonical "hello world" for most languages/platforms out there,
in most cases, still does not make explicit references to security issues.


On Wed, Mar 6, 2013 at 8:49 AM, Christian Sciberras <uuf6429 () gmail com>wrote:

> The article actually recommends looking for information from
> www.w3schools.com <http://www.w3fools.com>?!
>
> Here's a few other obviously missing things:
> - script requires input but does not check for it (very bad PHP practice)
> - what the hell is with that code? Ever heard about indentation?
> - there should be some very basic sanitization; ints be ints and strings
> be strings
> - hiding all errors, that was a very smart thing to do....
> - early 20's html and css coding style to boot
>
> Regarding the tool itself, obviously it's not meant to be used publicly,
> hence why I could close my eye in this respect.
>
> UIlisses, developers already do this. Actually, they've been doing it for
> quite some time.
> Perhaps the "security experts" writing tutorials as in that article should
> follow?
>
>
> On Wed, Mar 6, 2013 at 11:55 AM, Dan Ballance <tzewang.dorje () gmail com>wrote:
>
> > +1
> > On 6 Mar 2013 10:41, "Ulisses Montenegro" <ulisses.montenegro () gmail com>
> > wrote:
> >
> > > Not including proper input validation and error handling in code samples
> > > is one of the most common and harmful practices in the software development
> > > industry -- doing it is not "optional" or "advanced", it is mandatory
> > > unless you want to be pwned.
> > >
> > > Developers need to start doing things properly from the very beginning,
> > > as habits become harder and harder to change with experience.
> > >
> > >
> > > On Wed, Mar 6, 2013 at 7:33 AM, Benji <me () b3nji com> wrote:
> > >
> > > > Actually, adding input sanitisation really wouldnt increase the code
> > > > size that much. Are you just incompetent?
> > > >
> > > >
> > > > On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz <gauri () tut by>wrote:
> > > >
> > > > > Dear list,
> > > > >
> > > > > Well, I suppose this had to be a proof-of-concept piece of code to
> > > > > demonstrate how port scanning can be done in PHP, not a production-grade
> > > > > software. Adding input sanitization would increase the code size by a lot
> > > > > and obscure the concept somewhat (not that there is much to be said anout
> > > > > the concept though). Think we can give the dude some discount for that.
> > > > >
> > > > > Nevertheless, seeing something like this coming from "Certified
> > > > > Ethical Hacker and Security + certified" makes me doubt the worthness of
> > > > > those certificates. Could be nice to know the exact naming of those
> > > > > certificates to properly disregard them in the future.
> > > > >
> > > > > With best regards,
> > > > > Z.
> > > > >
> > > > > 2013/3/6 laurent gaffie <laurent.gaffie () gmail com>
> > > > >
> > > > > > http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/
> > > > > >
> > > > > > Finding the vulnerability in this code is left as an exercise to the
> > > > > > reader.
> > > > > >
> > > > > > PS: "*Your comment will be awaiting moderation forever."*
> > > > > >
> > > > > > _______________________________________________
> > > > > > Full-Disclosure - We believe in it.
> > > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Full-Disclosure - We believe in it.
> > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > >
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> > >
> > > --
> > > “If debugging is the process of removing software bugs, then programming
> > > must be the process of putting them in.” - *Edsger Dijkstra*
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/


-- 
“If debugging is the process of removing software bugs, then programming
must be the process of putting them in.” - *Edsger Dijkstra*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/