php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #17412 security problem with set_error_handler()
Submitted: 2002-05-24 10:29 UTC Modified: 2002-05-24 12:20 UTC
From: ferguson at knightsweb dot net Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: 4.2.1 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ferguson at knightsweb dot net
New email:
PHP Version: OS:

 

 [2002-05-24 10:29 UTC] ferguson at knightsweb dot net 
One reason I use set_error_handler() is to catch possible security problems... if a cracker/hacker is trying to gain access to my site, one thing he might do is try to change the code.... now, if I was trying to hack into a site by changing the code, the first thing I would do would do is cause parse errors!

The security issues I can see, of not allowing set_error_handler() to catch parse errors are:

	Informing a attacker when he has done something wrong so he can correct it!
	Giving information that php is powering the web site (by the error message)!
	Giving away sensitive information such as, what line he caused the error on!
	And most of all, not allowing the webmaster deal with a parse error cracker!

If a parse error is caused on a page that I have checked over, and know there are no parse errors on, the chances of a hacker/cracker are very good. In fact if a parse error is caused, I would like to be notified by email, (just like all the other errors) and I would like to deactivate the user (if any) that the intruder is logged in to. A third precaution, would be to try to ban the hacker/cracker computer from viewing any of my pages.

Adding support for pares errors with set_error_handling would also help to solve the rare cases where a parse error may actually exist on one of your pages. A more likely situation is where php builds pages according to user data. This would dramatically increase the changes of a parse error.

All in all, I think adding support for this would far outweigh the time it takes to implement it.

Thanks for listing,

Brendan

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-05-24 11:23 UTC] hholzgra@php.net 
set_error_handler() is executed *after* everything has been parsed (or not at all if parse errors occured), so there
is no easy way to implement the feature you are looking for

and if someone is able to change code on your box you
are lost anyway, aren't you? intrusion detection should
catch this way before anyone reaches this state IMHO
 [2002-05-24 12:20 UTC] rasmus@php.net 
Yup, this request makes very little sense.  If the remote user can somehow change the running code to introduce a parse error, then he might as well introduce valid code that doesn't cause a parse error but rather does something destructive to your system.  Invalid form data or any other user data can not cause a parse error.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun May 19 13:01:33 2024 UTC