Hi Ivo,
Jordan forwarded me your mail to provide some technical explanation.
First of all, sorry for the delay, due to recent business travels and
out-of-office events, I haven't had a lot of time to go through my
mailbox.
The product version that you were using is a trial version, which does
not support all of the most recent improvements we've added (version 1.2
will be released in January). You encountered one of the limitations,
when you noticed that calling your own functions caused a vulnerability.
Due to the way our algorithms analyzes and processes information flow
through function calls, we can sometimes determine a user-defined
function to be vulnerable, regardless of the parameters passed to it.
One simple (artificial) example would be the following situation:
function update_last_login($user_id) {
mysql_query('insert into users (id, login_date) values ('
. $user_id . ',' . $_GET['date'] . ')');
}
No matter if you sanitize $user_id or not, the function will always pass
an unsanitized user parameter into an SQL query, so the function call
will always lead to a vulnerability - this would even happen if there
were no function parameters.
In that situation, the current trial version will report those calls to
your user defined function vulnerable, possibly without finishing the
tainted information flow trace to the actual sensitive method (the
mysql_query in the case above). A complete traceback with a more
fine-grained reporting level has already been implemented by not yet
deployed to the trail servers.
By the way, we would greatly appreciate any feedback that you could give
us concerning usability and performance of the trial account.
If you have any more technical questions, please don't hesitate to
contact me.
Best regards,
Christian Hang
Chief Software Architect
Armorize Technologies, Inc.
email: chris@xxxxxxxxxxxx
-----Original Message-----
From: Ivo F.A.C. Fokkema [mailto:I.F.A.C. Fokkema@xxxxxxx]
Sent: Saturday, December 02, 2006 12:28 AM
To: php-general@xxxxxxxxxxxxx
Subject: Re: FW: Re: Please hack my app
Hi Jordan,
Thank you for your offer. As you know, I've signed up a couple of days
ago. I ran a scan yesterday and have gotten a big PDF file out of it.
I've quickly scanned through the results and it appears there are a lot
of
times when I use one of my own functions (sometimes even without an
argument) it finds a vulnerability. I will analyze the results more
detailed later on. Would you appreciate comments on the service?
Thanks again,
Ivo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
