Steven M. Christey schrieb: > ------------------------------------------------------ > Dynamic Evaluation Vulnerabilities in PHP applications > ------------------------------------------------------ > > Following is a brief introduction to a growing class of serious > vulnerabilities in PHP applications. They can allow execution of > arbitrary code or arbitrary functions, or read/write access of > arbitrary internal variables. > > Note that these types of vulnerabilities are not unique to PHP. Other > interpreted languages can have similar issues. For example, Perl, > Python, and Javascript have eval functions. A recent myspace XSS > issue used eval injection in Javascript [1], and eval injection has > been reported in some Python applications (CVE-2005-2483, > CVE-2005-3302) and Perl (CVE-2002-1750, CVE-2003-0770, CVE-2005-1527, > CVE-2005-2837). > One advice for a lot of the eval based problems could also be to use a better language/technology for task (if they really need eval at all, in most cases eval is just the easy way to do things, not the best.) Take a look at javas sandbox, or if you want to look at an interpreted language at the Tcl safe interp functions which provide a safe sandbox for evaluating user code things like this. (see http://www.tcl.tk/man/tcl8.5/TclCmd/interp.htm ) Basically your telling PHP programmers to check their user provided inputs, always good advice. If they really want to provide users the power for code execution they should use a language or environment with a proper sandbox. Michael
