[imp] BUG: php 5 suhosin triggers MBOX_PREFIX separator

azurIt azurit at pobox.sk
Mon May 23 19:29:07 UTC 2011


Almost everything (or maybe everything) in suhosin can be disabled. I believe it is possible to tune it so Horde will work ok.

 
 ______________________________________________________________
 > Od: "Olivier" 
 > Komu: imp at lists.horde.org
 > Dátum: 23.05.2011 21:21
 > Predmet: Re: [imp] BUG: php 5 suhosin triggers MBOX_PREFIX separator
 >
 Yes, but is this the only edge effect of suhosin ?
 Olivier
 
 Le 23/05/2011 21:04, azurIt a écrit :
 > this can be disabled in suhosin:
 > http://www.hardened-php.net/suhosin/configuration.html#suhosin.post.disallow_nul 
 >
 >
 >
 >
 > ______________________________________________________________
 > > Od: "Michael M Slusarz" > Komu: imp at lists.horde.org
 > > Dátum: 23.05.2011 21:00
 > > Predmet: Re: [imp] BUG: php 5 suhosin triggers MBOX_PREFIX separator
 > >
 > Quoting Rick Romero :
 > > Quoting Michael M Slusarz : > >> Quoting Rick Romero : >> >>> 
 > Quoting Michael M Slusarz : >>> >>>> Quoting Olivier : >>>> >>>>>> 
 > suhosin[2446]: ALERT - ASCII-NUL chars not allowed within >>>>>> 
 > request variables - dropped variable 'view' (attacker >>>>>> 
 > 'XXX.XXX.XXX.XXX', file '.../services/ajax.php') >>>> >>>> Still 
 > waiting for someone to tell me how a NULL character, by >>>> itself, 
 > is a security threat. >>> >>> What if the variable is expected to be 
 > numeric and you start doing >>> math on it? >> >> But what if the 
 > variable ends up being 0.  That's a perfectly valid >> integer, but 
 > could cause problems if the application uses it as a >> divisor. >> 
 > >>> Isn't the purpose of suhosin to try and catch the stuff developers 
 > >>> didn't catch? >> >> But you can't break things that are supposed 
 > to work otherwise. >> NULL is a perfectly acceptable input in URL 
 > parameters. >> >> And, e.g. with the 0 value above, the interpreter 
 > CAN'T possibly >> catch/process all valid inputs.  That is the duty of 
 > the >> application author. > > I dunno.  I agree with your last 
 > paragraph, it's not suhosin's job > to be a substitute for proper 
 > input validation.   But kinda I think > that contradicts 'NULL is a 
 > perfectly acceptable input..'. > I mean - Do you really design an 
 > application and say "Yep, we're > going to expect a user (or unknown 
 > entity) to send a NULL here" ?
 > Why not?  That may be YOUR belief, or the way that you would code   
 > things, but the fact is *BOTH* PHP and the URL specs allow this to   
 > happen.  So it is broken behavior to disallow this.  Period.
 > In our case, we need a way to indicate a mailbox is not an IMAP   
 > mailbox.  I chose the method of including a null character in the   
 > mailbox string since this is the ONLY character not allowed in IMAP   
 > mailboxes (yes, all other control characters are allowed).  It works   
 > great everywhere - as it should because it doesn't violate any spec or 
 >   API - except when using suhosin.  Suhosin = broken.
 > > Assuming it's coded 'properly' that variable should have been > 
 > pre-set in code, and upon receiving a URL param with data outside > 
 > the expected range (numerical, >0), promptly ignored it.  Or am I > 
 > wrong?
 > You would be wrong.  Why do you want to ignore proper URL form data?   
 > If someone sends you an encoded null character (%00), that's a   
 > character within the allowed range so why should it be treated any   
 > differently?
 > What if I have a page that sends the first 16 bytes of an image   
 > provided to it to the server to do some kind of MIME Magic testing -   
 > preventing the need to send the whole file.  This binary data may   
 > contain nulls.  Who are you to tell me that this is a "security"   
 > violation?
 > Just because null characters can be used for things such as buffer   
 > overruns in certain languages does not mean they are evil.  You simply 
 >   can't remove them from a data stream without knowing the context.  I 
 >   would be very wary of running something that supposedly "increases" 
 >   security on your machine when the actual theory behind that code is 
 >   this deeply flawed.
 > michael
 > ___________________________________ Michael Slusarz [slusarz at horde.org]
 -- 
 IMP mailing list
 Frequently Asked Questions: http://horde.org/faq/
 To unsubscribe, mail: imp-unsubscribe at lists.horde.org



More information about the imp mailing list