security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
security [2016/10/30 05:25] – stas | security [2021/07/12 15:28] – open_basedir bypasses are no security issues cmb | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Meta ====== | ||
+ | |||
+ | * Authors: Release Managers | ||
+ | * Date: November 2016 | ||
+ | * Version: 1.0.1 | ||
+ | * RFC: [[rfc: | ||
+ | |||
+ | ====== Introduction ====== | ||
+ | |||
For the sake of our users, we classify some of the issues found in PHP as " | For the sake of our users, we classify some of the issues found in PHP as " | ||
====== Classification ====== | ====== Classification ====== | ||
- | We classify as security issues bugs that allow users to execute unauthorized actions, cross security boundaries, access data that is not intended to be accessible, severely impact accessibility or performance of the system, etc. The purpose of this classification is to alert the users and the developers about the bugs that need to be prioritized in their handling. | + | We classify as security issues bugs that: |
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | The purpose of this classification is to alert the users and the developers about the bugs that need to be prioritized in their handling. | ||
We define three categories of security issues, by their severity, described below. Please note that this categorization is in many aspects subjective, so it ultimately relies on the judgement of the PHP developers. | We define three categories of security issues, by their severity, described below. Please note that this categorization is in many aspects subjective, so it ultimately relies on the judgement of the PHP developers. | ||
Line 9: | Line 25: | ||
===== High severity ===== | ===== High severity ===== | ||
- | This issue would allow third party to compromise any or most of the hosts running PHP, allowing to run arbitrary code or disable the system completely or access any file local PHP user can access. The issue can be triggered on any PHP install or on most typical PHP installs, and does not require exotic and non-recommended settings to be triggered. | + | These issues may allow: |
- | This category also involves | + | * third party to compromise any, or most installations of PHP |
+ | * the execution of arbitrary code | ||
+ | * disabling the system completely | ||
+ | * access to any file a local PHP user can access. | ||
+ | |||
+ | The issue can be triggered on any, or on most typical installations, | ||
+ | |||
+ | This category also includes | ||
This category also may include issues that require special code or code pattern if such code or pattern is present in many popular libraries. | This category also may include issues that require special code or code pattern if such code or pattern is present in many popular libraries. | ||
- | This kind of issues usually | + | This kind of issues usually |
===== Medium severity ===== | ===== Medium severity ===== | ||
+ | These issues may have the same potential to compromise an installation as a high severity issue, but may also require: | ||
- | This issue allows the same level of compromise as high severity issue, but requires particular and not commonly used extension, or particular type of settings, | + | * an extension that is not commonly used |
- | + | * a particular type of configuration | |
- | This category also may include issues that require special | + | * relies on old version of a third-party library being used |
+ | | ||
+ | * code that is very old, or extremely uncommon (and so is used infrequently) | ||
This kind of issues usually will have a CVE number, unless the required configuration is particularly exotic to the point it's not practically usable. | This kind of issues usually will have a CVE number, unless the required configuration is particularly exotic to the point it's not practically usable. | ||
Line 28: | Line 54: | ||
===== Low severity ===== | ===== Low severity ===== | ||
- | This issue allows theoretical compromise of security, but practical attack is usually impossible or extremely hard due to common practices or limitations that are virtually always present. | + | This issue allows theoretical compromise of security, but practical attack is usually impossible or extremely hard due to common practices or limitations that are virtually always present |
+ | |||
+ | This also includes problems with configuration, | ||
- | This also includes problems with configuration, | + | Issues |
- | Issues | + | Security issues, |
- | Low severity issues usually do not need to have CVE and, on PHP developer' | + | Low severity issues usually do not need to have CVE and may, at the discretion |
===== Not a security issue ===== | ===== Not a security issue ===== | ||
- | We do not classify as a security issue any issue that requires the server to run specific code (unless it is a very simple frequently used pattern, such as starting a session, calling a constructor, | + | We do not classify as a security issue any issue that: |
- | We do not classify as a security issue bugs in debug functions or stemming from the use of debug functionality | + | * requires invocation of specific code, which may be valid but is obviously malicious |
+ | * requires invocation of functions | ||
+ | * requires specific actions to be performed on the server, which are not commonly performed, | ||
+ | * requires privileges superior to that of the user (uid) executing PHP | ||
+ | * requires | ||
+ | * requires the use of settings not recommended for production - ex. error reporting to output | ||
+ | * requires the use of non-standard environment variables - ex. USE_ZEND_ALLOC | ||
+ | * requires the use of non-standard builds - ex. obscure embedded platform, not commonly used compiler | ||
+ | * requires the use of code or settings known to be insecure | ||
+ | * requires the use of FFI | ||
+ | * requires an open_basedir bypass | ||
- | We do not classify as security issue any problems stemming from using non-standard environment settings (including USE_ZEND_ALLOC=0), | ||
====== Handling issues ====== | ====== Handling issues ====== | ||
Line 53: | Line 90: | ||
Q. How do I report a security issue?\\ | Q. How do I report a security issue?\\ | ||
- | A. Please report it on http:// | + | A. Please report it on http:// |
Q. What do you consider a responsible disclosure? | Q. What do you consider a responsible disclosure? |
security.txt · Last modified: 2024/01/30 17:35 by derick