Page 3 of 4

Posted: Tue Aug 02, 2005 10:10 am
by Skittlewidth
Wow this post has gone way off my original topic. So this is what happens when you mention ASP in a PHP forum... :? :wink:

Posted: Tue Aug 02, 2005 10:14 am
by infolock
It's all your fault SKittlewidth!!! :D

Posted: Tue Aug 02, 2005 11:31 am
by nielsene
Even if you validate all your variables, its possible that code can have un-intended interactions when sets of variables are set that shouldn't be. If you aren't expicitly checking that you are only working on the variables you expect to be present you open up holes.

Ie given some page interactions an arbitrary collection of legal values does not make a valid request is some of the variables should have been mutually exclusive.

Posted: Tue Aug 02, 2005 1:07 pm
by infolock
ok, i'm sick and tired of hearing this.

I have 15 undefined variables . They are are as follows :
bob
bob2
bob3
bob4
bob5
bob6
bob7
bob8
bob9
bob10
bob11
bob12
bob13
bob14
bob15


Go here. Try to break it.
http://www.jonhibbard.com/testme/undefined_var.php

If you can break it, i will bow down. If not, then stop this nonesense and accept the fact that WHILE undefined variables are bad, they are ONLY bad when you don't validate them. The point of this is the following reason : We have some very bright php developers. I by no means am the supo-suprermo php coder or anything, but I am also not an idiot. The mere fact that I hear some experienced coders saying that validation is not key to security makes me cringe in horror. I , like most of you, define my variables BEFORE ever using them, HOWEVER, undefined variables can also be used just as easilly with no problems.

So, go for it. I've given you the URL. Go there, break my script. Make me look like an idiot. I don't care one bit as I would rather be shown to be an idiot than to go on believing my ways are secure. But if you can't break the script, STOP trying to preach to people about something you have NO CLUE about. ANYONE can look up a term UNDEFINED PHP VARIABLE, see that some sites say it's unsecure, copy/paste their reasoning, and never know how or why that their reasoning works. The reason undefined variables can be unsecure is if people don't validate them. If you validate them, you have no worries. KTHNX.

Posted: Tue Aug 02, 2005 2:13 pm
by nielsene
That is a completely bogus test.

1. There is no way to tell if its even a PHP page and not just static HTML; you could have just put up the HTML and laughed at anyone who tried anything.

2. This page isn't in the context of a site. We don't see how a person would reach it (thus revealing some variables). We don't see how a person would leave it also revealing variables.

3. Finally as Roja has said, it is up to YOU, claiming it is secure to proof your point, not challenge us to disprove it.

Posted: Tue Aug 02, 2005 2:32 pm
by nielsene
infolock wrote:If you can break it, i will bow down. If not, then stop this nonesense and accept the fact that WHILE undefined variables are bad, they are ONLY bad when you don't validate them. The point of this is the following reason : We have some very bright php developers. I by no means am the supo-suprermo php coder or anything, but I am also not an idiot. The mere fact that I hear some experienced coders saying that validation is not key to security makes me cringe in horror. I , like most of you, define my variables BEFORE ever using them, HOWEVER, undefined variables can also be used just as easilly with no problems.
Validation is one of the key components to security, I don't think anyone in this thread has not agreed with that, but like everything in security, there is no magic bullet. Validation alone won't protect you from all threats.

I will STRONGLY disagree with that statement that
undefined variables can be used just as easily with no problems.
I will grant you, that it may be possible to secure some class of scripts and still have undefined variables around. HOWEVER, said script will be more brittle to changes and more apt to develop bugs as its changed. Said script will also require more thought and care in the logic path layout to avoid exposing a vulnerablity. Therefore its not "just as easily". Perhaps you're an absolutely briallant coder and the extra logic is effortless to you, but that's not the case for many developers and your stance here will only harm them.

Posted: Tue Aug 02, 2005 2:38 pm
by infolock
nielsene wrote:That is a completely bogus test.

1. There is no way to tell if its even a PHP page and not just static HTML; you could have just put up the HTML and laughed at anyone who tried anything.

2. This page isn't in the context of a site. We don't see how a person would reach it (thus revealing some variables). We don't see how a person would leave it also revealing variables.

3. Finally as Roja has said, it is up to YOU, claiming it is secure to proof your point, not challenge us to disprove it.
First of all man, u seriously think I would post a page up there without valid variables? If you think that, please, block my name. Don't read any of my posts. But everyone on this forum knows that I would never do that. I've been here for almost 3 years, so why would I lie? Ask any of these guys if they would trust me. I have never lied, and have no need to lie.

2nd of all, it si most DEFINATLY in the context of a site. NO SITE has to have html surrounding it to be a valid site. It may not meet the w3c standards, but IE will still display it, along with firefox right behind.

3rd : I AM proving my point. Have you broken it? No? WHy is that? Oh, because I actually proved my point of validation of undefined variables not being insecure? is that why it hasn't been broken? gee... what a concept.


Anyways, I'm still waiting. Anyone can bust this. This includes 15 bob variables, all undefined. You let me know when you can break it. nielsene, say that undefined variables are unsecure. You posted a big blog of information, and yet you can't seem to back it up? prove me wrong. I even gave you the names of the variables. What more do you want? According to what I've read, it doesn't matter if you see my code or not. If I have undefined variables, it can be hacked according to those above statements.

I await those statements to be proven true. Until then, it's just another number in the wind to me.

Last but not least, I still cannot get over you saying I have to prove my point. What do you think I'm trying to do? Exactly just that. Now, in order for me to prove my point, you have to prove yours , thus causing my piont to be invalid and FALSE. So, get to it guys! I want to see this *insecurity*


If you can't, then stop trying to bash me. Because the only thing you will accomplish is throwing an argument up with NO validating evidence that ANYTHING you say is anymore true than what I"m saying.

You say that I'm giving these guys a bad practice? OH CONTRAR! The company I work for USES these practices, and guess what? We aren't a fortune 500 company for nothing. It's becuase when you use good coding practice and sense, you have secure code that you can develop in ANY WAY YOU WANT, so long as you follow guidelines for security

But I've been preaching about this for 2 pages now. Why must you make me repeat myself?

Posted: Tue Aug 02, 2005 2:46 pm
by Roja
infolock wrote:STOP trying to preach to people about something you have NO CLUE about.
As I said before, you are in the odd-man-out position, not us.

I've given examples. I've cited best practices. I've cited manuals, books, documentation, and quotes all agreeing that variables should be initialized before use for a multitude of reasons, most important being security.

I won't stop telling people - especially beginning programmers, on a learning forum - that using a variable before it is defined is dangerous.

Whether you argue that you can obscure it with unlikely variable names to reduce the risk, or argue that you can reduce the risk by validating, or argue that no one will meet some theoretical test you devise and thus they are wrong all matters not one bit.

It does not change the fact that an undefined variable is unsafe. The fact that you describe ways to reduce the risk of those variables specifically proves that - if the variable was defined to a known value, why would you need to validate it? Because its unsafe.

If the variable was defined to a known value, why would you need an obscure variable name? Because its unsafe.

The burden is on YOU, not us. The industry has spoken loudly, repeatedly, and over a period of years, not days. Time and again this point has been proven.

I respect your passion. Just as I don't always think OOP is the right answer, and often get into arguments with others who feel the opposite, I understand your frustration.

But this isn't just a matter of opinion (like when to use OOP), its a proven point, cited by virtually every secure programming reference today. I stand humbly by their knowledge, not my own, and feel no need to defend them and their statements.

But I will continue to disagree with you, and continue to point to authoritative sources that also disagree with you so that new programmers will not be led astray.

As I said in a previous post, take your passion and ask the php security consortium to change their statement. Ask Zend to remove the warning, becuase its inaccurate. Ask the authors of multiple books on secure programming why they included such wild inaccuracies.

I'm sure you will find their responses are at least as repetitive and consistent as ours are.

Posted: Tue Aug 02, 2005 2:48 pm
by infolock
those examples can be found anywhere on the net Roja. I don't care about words. Action speaks louder. Now, if you want to show me, go for it. Otherwise, why keep wasting time and words ?

Because listen man, and I want this to be 100% understood. ALL because someone says something is insecure, or even 500 people says it is insecure, does NOT mean it IS unsecure (insecure, unsecure, whatever. I am not a literature buff).

The point i'm trying to make is that what you are beliving in is false. What you have an understanding of is GLOBAL VARIABLES. Globals are, proven and proven again, to be insecure based on exactly the things you posted.

Undefined Variables are a completely different matter, and you seem to be blinded by this fact.

All i'm saying is, my method works, it's secure, and it has no worries about being broken. Why else would I put it up if I dind't believe in it? I posted it there because obviously you all know something I don't. if you do, then use what you are preaching against this site I just posted. If it doesn't work, why not just say "info, ur right" instead of trying to make me out to sound stupid man? Because honestly, it's <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> me off.

Posted: Tue Aug 02, 2005 2:50 pm
by Roja
infolock wrote:those examples can be found anywhere on the net Roja. I don't care about words. Action speaks louder. Now, if you want to show me, go for it. Otherwise, why keep wasting time and words ?
I have no need to prove the world is round. My unwillingness to do so doesn't make the world flat.

Posted: Tue Aug 02, 2005 2:51 pm
by nielsene
infolock wrote: 2nd of all, it si most DEFINATLY in the context of a site. NO SITE has to have html surrounding it to be a valid site. It may not meet the w3c standards, but IE will still display it, along with firefox right behind.
No I'm not talking about a web-page. I'm talking about a website. If the page doesn't do anything, then there is nothing to attempt to attack. We don't see what type of URL/form submission would bring us to this page; we don't see what kinds of behavoir are possible given different totally legitimate inputs.
3rd : I AM proving my point. Have you broken it? No? WHy is that? Oh, did I prove my point? is that why it hasn't been broken? gee... what a concept.
Perhaps because I'm not a black hat. I tried a few simple things, as you probably know. I am not willing to try anything that would be considerred illegal, even with your invitation.
Last but not least, I still cannot get over you saying I have to prove my point. What do you think I'm trying to do? Exactly just that. Now, in order for me to prove my point, you have to prove yours , thus causing my piont to be invalid and FALSE. So, get to it guys! I want to see this *insecurity*
To proove your point, versus asking us to disprove it:
Show us a line-by line code audit. That's a positive proof. No amount of time between your challenge and a successful break prooves anything.

Posted: Tue Aug 02, 2005 2:54 pm
by nielsene
infolock wrote: The point i'm trying to make is that what you are beliving in is false. What you have an understanding of is GLOBAL VARIABLES. Globals are, proven and proven again, to be insecure based on exactly the things you posted.

Undefined Variables are a completely different matter, and you seem to be blinded by this fact.
What we're talking about doesn't require globals. We aren't equating globals with undefined variables. register globals just makes it easier to exploit. And if your software gets install by someone on a host that still has that on., you're application and reputation in the eyes of the user, is toast.

Posted: Tue Aug 02, 2005 2:54 pm
by infolock
nielsene wrote:
infolock wrote: 2nd of all, it si most DEFINATLY in the context of a site. NO SITE has to have html surrounding it to be a valid site. It may not meet the w3c standards, but IE will still display it, along with firefox right behind.
No I'm not talking about a web-page. I'm talking about a website. If the page doesn't do anything, then there is nothing to attempt to attack. We don't see what type of URL/form submission would bring us to this page; we don't see what kinds of behavoir are possible given different totally legitimate inputs.
3rd : I AM proving my point. Have you broken it? No? WHy is that? Oh, did I prove my point? is that why it hasn't been broken? gee... what a concept.
Perhaps because I'm not a black hat. I tried a few simple things, as you probably know. I am not willing to try anything that would be considerred illegal, even with your invitation.
Last but not least, I still cannot get over you saying I have to prove my point. What do you think I'm trying to do? Exactly just that. Now, in order for me to prove my point, you have to prove yours , thus causing my piont to be invalid and FALSE. So, get to it guys! I want to see this *insecurity*
To proove your point, versus asking us to disprove it:
Show us a line-by line code audit. That's a positive proof. No amount of time between your challenge and a successful break prooves anything.
My friend, you see, this is what I'm talking about. You want me to post the code, but I thought it didn't matter? I thought all you needed to know was that a site contained an undefined variable? Want me to turn E_ALL on for you? Ok, I will. But if you aren't gonna be able to disprove me, why not do what you said you could do?

if you want to take advantage of undefined variables, you say you can do so without the need of even seeing the other person's code. But when you SEE their code, yes, most DEFINATELY, you CAN take advantage of what they are doing. Thus why phpBB has so many vulnerabilities ALL the time because people are finding loopholes in their coding.

Now, if you want to waste my time, go ahead, But until someone can prove what I"ve been saying wrong, i'll not respond.

Posted: Tue Aug 02, 2005 3:00 pm
by nielsene
infolock wrote:
nielsene wrote:
infolock wrote: 2nd of all, it si most DEFINATLY in the context of a site. NO SITE has to have html surrounding it to be a valid site. It may not meet the w3c standards, but IE will still display it, along with firefox right behind.
No I'm not talking about a web-page. I'm talking about a website. If the page doesn't do anything, then there is nothing to attempt to attack. We don't see what type of URL/form submission would bring us to this page; we don't see what kinds of behavoir are possible given different totally legitimate inputs.
3rd : I AM proving my point. Have you broken it? No? WHy is that? Oh, did I prove my point? is that why it hasn't been broken? gee... what a concept.
Perhaps because I'm not a black hat. I tried a few simple things, as you probably know. I am not willing to try anything that would be considerred illegal, even with your invitation.
Last but not least, I still cannot get over you saying I have to prove my point. What do you think I'm trying to do? Exactly just that. Now, in order for me to prove my point, you have to prove yours , thus causing my piont to be invalid and FALSE. So, get to it guys! I want to see this *insecurity*
To proove your point, versus asking us to disprove it:
Show us a line-by line code audit. That's a positive proof. No amount of time between your challenge and a successful break prooves anything.
My friend, you see, this is what I'm talking about. You want me to post the code, but I thought it didn't matter? I thought all you needed to know was that a site contained an undefined variable? Want me to turn E_ALL on for you? Ok, I will.
No, you don't understand. An attacker wouldn't need the source., the attacker would need to "profile" the application. seeing how it works, etc.

If you want to prove your point, however in a positive manner, you must do a line-by-line code audit, showing how an user-provided variable could never reach application code. This will always require either initializing the value (no more undefined variables) or more elaborate logic (therefore not as easy as you claaim.)

Posted: Tue Aug 02, 2005 3:03 pm
by infolock
wrong. You say it's able to be broken simply cuz there is an undefined variable. Now you are going so far as to say you need to see the code? jesus christ man, come on. Just admit you have NO CLUE what youare talking about.

Secondly, this code does exactly what it says it does. It check to see if the variable $bob - $bob16 has been defined. if it hasn't, it posts "bob has not een defined".


now, the part it doesn't say, is if it HAS been defined, it checks to see if the variable has any html characters or added slashes. If it does, it attempts to post that html code on the page. Otherwise, it posts "variable has not been defined"

what more do you wnat ?