To add such a tainted mode to PHP has been discussed several times in the past. It was rejected for several reasons like the obvious huge speed impact and the danger of false positives and a false sense of security. And indeed the way CORE GRASP is implemented it looks like a huge memory and speed overhead that should be tested. In addition to that their query parser will for example wrongly detect quotes escaped by doubling as injection attack.

Aside from this there are several other possible problems in the code like a remote one byte stack overflow (that seems harmless due to memory alignment), wrong handling of the _SERVER superglobal in case of JIT and it also seems that control characters like linebreaks can be injected into the logfiles. Further analysis and a deeper look into the code is needed.

However it has to be taken into account that this is the very first public version of CORE GRASP, so maybe all these problems are gone soon and support for further database engines is added.

Two major risks happen to exists with chris example:

1. Malicious people could misuse them as bouncers to attack other sites
2. Not every URL is a web page. Some can load plugins, display information and
   some can execute JavaScript.

Here is an example URL:

http://shiflett.org/csrf.php?csrf=javascript:alert(/I_AM_A_SECURITY_EXPERT/)

In Internet Explorer (and Safari) this will give you access to the domain (cookies, etc…). In Firefox you can still do other funny things.

So if you implement (javascript) redirector scripts, make sure you do a proper
whitelisting of the user delivered urls.

UPDATE: The above example for a simple XSS does no longer work. However there are still other XSS vulnerabilities like variable-width problems in the CSRF redirector and it is still an open bouncer for malicious persons.

EllisLab is pleased to release CodeIgniter version 1.7.2 for ready download.  What’s new?  Among other changes:

• Compatible with PHP 5.3.0
• Added a new Cart Class.
• Improvements to the Form helper
• Added is_php() to Common functions to facilitate PHP version comparisons
• Modified show_error() to allow sending of HTTP server response codes, and all internal uses now send proper status codes.
• Numerous bug fixes

Version 1.7.2 has been baking in the subversion for quite some time, and has been compatible with PHP 5.3.0 since late July, but many users understandably haven’t been running from the in-development version.  While I’d have liked to have had time to add a few more “big ticket” items to this release, making it 1.8, time is a cruel mistress.  Many of our users develop on Macs, and OS X Snow Leopard ships with PHP 5.3.0, so we felt is was more important to push out this stable maintenance release instead of waiting for an even later date – it’s been almost seven months since a refresh, afterall.  But there are still a few good surprises, and welcome changes.  Enjoy!

My old post on
compiling PHP for Mac OS 10.5 (Leopard) continues to top my most-viewed page
statistics. Sadly, that article is old and doesn’t apply very well to Snow
Leopard (10.6).

I’ve been meaning to post instructions on how to compile PHP for Snow
Leopard since last summer when I picked up the DVD, but hadn’t found the
time or opportunity to build PHP from a completely fresh start, until a few
weeks ago.

This time, I took notes on how to reliably compile PHP and Apache from
scratch on this system.

1. Download and install href="http://developer.apple.com/technologies/xcode.html">Xcode.
   You’re on your own for the details of this one, but frankly, if you can’t
   figure it out, you’ll find the next steps too difficult. Think of it as
   a prerequisite.

2. Create a working directory. I use ~/src,
   but you can use whatever you like.

   
   $ mkdir ~/src
   $ cd ~/src
     

3. Install href="http://github.com/mxcl/homebrew">Homebrew. Homebrew is
   a truly great software packager for OS X. Think Macports, but not as ugly;
   Fink, but not as broken (and not as binary). Designed for Mac. It’s Ruby,
   but we don’t have to hold that against them. (-:

   
   $ curl http://gist.github.com/raw/323731/572b315c4f7ee78244de70e7ad703c8ae324da7a/install_homebrew.rb > install_homebrew.rb
   $ ruby install_homebrew.rb
      

4. Install your own iconv. I don’t know what Apple did to
   theirs, but it’s a huge headache. You’re best installing your own, in my
   experience.

   
   $ curl http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.1.tar.gz | tar -zx -
   $ cd libiconv-1.13.1
   $ ./configure --prefix=/opt && make && make install
   $ cd ..
     

5. Install Apache-HTTPD from source. This isn’t
   absolutely necessary, but Apple seems to have done some weird stuff with
   their Apache, and in my experience, it’s best to build your own. If you
   skip over this step, you’ll need to change the apxs in the
   PHP configure command, below.

   First, find your
   closest mirror.

   
   $ curl http://apache.mirror.iweb.ca/httpd/httpd-2.2.15.tar.bz2 | tar -jxf -
   $ cd httpd-2.2.15/
   $ ./configure --enable-rewrite --enable-ssl && make && make install
   $ cd ..
      

6. Install PHP dependencies using Homebrew. Easy, huh?

   
   $ echo "gd jpeg libpng libxml2 libzzip mcrypt mysql" | xargs brew install
   $ echo "libpng libxml2 readline" | xargs brew link
     

7. Install PHP from source by first selecting a href="http://php.net/get/php-5.3.2.tar.bz2/from/a/mirror">mirror.

   Note: you will need to use a really nasty patch to get this to
   build properly. See the note on iconv above. Even Apple’s own href="http://opensource.apple.com/source/apache_mod_php/apache_mod_php-53/patches/iconv.patch">iconv patch for PHP
   doesn’t work (at least not for me).

   
   $ curl -L http://ca2.php.net/get/php-5.3.2.tar.bz2/from/this/mirror | tar -jxf -
   $ cd php-5.3.2
   $ curl http://www.php.net/~scoates/patches/php-5.3.1-Makefile.global-iconv.patch | patch -p0
   $ ./configure --prefix=/usr/local --with-xsl --with-gd --with-zlib-dir \
     --enable-sockets --enable-exif --with-mcrypt --enable-soap \
     --enable-embedded-mysqli --with-mysql --with-pdo-mysql --with-curl \
     --with-libedit --with-apxs2=/usr/local/apache2/bin/apxs --enable-mbstring \
     --with-openssl --with-iconv=/opt && make && make install
   $ cd ..
     

8. Configure Apache. If you’ve done this on other
   platforms, this step should look familiar.

   1. In /usr/local/apache2/conf/httpd.conf, in the
      <IfModule mime_module> block, add the following:

      
      AddType application/x-httpd-php .php
      AddType application/x-httpd-php-source .phps
          

   2. Optionally, add PHP to DirectoryIndex by changing

      
      DirectoryIndex index.html
          

      to

      
      DirectoryIndex index.php index.html
          

   You can now test Apache + PHP by creating a phpinfo() page,
   and restarting Apache:

   
   $ echo "<?php phpinfo(); ?>" > /usr/local/apache/htdocs/info.php
   $ ln -s /usr/local/apache2/bin/apachectl /usr/local/bin/apachectl
   $ sudo /usr/local/bin/apachectl restart
     

   Now, visit localhost/info.php,
   and you should have an independent, custom-compiled Apache-PHP
   stack.

I hope this has been helpful. If I’ve given bad instructions, or if
something doesn’t work for some reason, please let me know in the
comments.

Stefan Esser has launched another Month of PHP security. It includes popular applications which use PHP as well as general bugs. He also includes a general PHP security article that you really should read to help secure your code. I?d also keep an eye out for the hardening of PHP configuration which will be released shortly.