security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
security [2016/10/30 05:25]
stas
security [2017/09/22 13:28] (current)
Line 1: Line 1:
 +====== Meta ======
 +
 +   * Authors: Release Managers
 +   * Date: November 2016
 +   * Version: 1.0.0
 +   * RFC: [[rfc:​security-classification|Security Issue Classification]]
 +
 +====== Introduction ======
 +
 For the sake of our users, we classify some of the issues found in PHP as "​security issues"​. This document is intended to explain which issues are thus classified, how we handle those issues and how to report them. For the sake of our users, we classify some of the issues found in PHP as "​security issues"​. This document is intended to explain which issues are thus classified, how we handle those issues and how to report them.
  
 ====== Classification ====== ====== Classification ======
  
-We classify as security issues bugs that allow users to execute unauthorized actionscross security boundariesaccess data that is not intended to be accessibleseverely impact accessibility or performance of the system, etc. The purpose of this classification is to alert the users and the developers about the bugs that need to be prioritized in their handling. ​+We classify as security issues bugs that
 + 
 +   ​* ​allow users to execute unauthorized actions 
 +   ​* ​cross security boundaries 
 +   ​* ​access data that is not intended to be accessible 
 +   ​* ​severely impact accessibility or performance of the system ​ 
 +  
 +The purpose of this classification is to alert the users and the developers about the bugs that need to be prioritized in their handling. ​
  
 We define three categories of security issues, by their severity, described below. Please note that this categorization is in many aspects subjective, so it ultimately relies on the judgement of the PHP developers. ​ We define three categories of security issues, by their severity, described below. Please note that this categorization is in many aspects subjective, so it ultimately relies on the judgement of the PHP developers. ​
Line 9: Line 25:
 ===== High severity ===== ===== High severity =====
  
-This issue would allow third party to compromise any or most of the hosts running PHP, allowing to run arbitrary code or disable the system completely or access any file local PHP user can access. The issue can be triggered on any PHP install or on most typical PHP installs, and does not require exotic and non-recommended settings to be triggered. ​+These issues may allow
  
-This category also involves ​issues that can be triggered in code or functions known to be frequently used (session, json, mysql, openssl, etc.) on the course of their typical usage, and that require settings or configurations that may not be strictly the best practice but are commonly used. +  * third party to compromise any, or most installations of PHP 
 +  * the execution of arbitrary code 
 +  * disabling the system completely 
 +  * access to any file a local PHP user can access.  
 +  
 +The issue can be triggered on any, or on most typical installations,​ and does not require exotic and non-recommended settings to be triggered.  
 + 
 +This category also includes ​issues that can be triggered in code or functions known to be frequently used (session, json, mysql, openssl, etc.) during ​typical usage, and that require settings or configurations that may not be strictly the best practicebut are commonly used. 
  
 This category also may include issues that require special code or code pattern if such code or pattern is present in many popular libraries. This category also may include issues that require special code or code pattern if such code or pattern is present in many popular libraries.
  
-This kind of issues usually ​require ​a CVE report.+This kind of issues usually ​requires ​a CVE report.
  
 ===== Medium severity ===== ===== Medium severity =====
  
 +These issues may have the same potential to compromise an installation as a high severity issue, but may also require:
  
-This issue allows the same level of compromise as high severity issue, but requires particular and not commonly used extension, or particular type of settings, ​that is used only in narrow specific circumstances, or relies on older version of third-party library being used when building or deploying PHP. The common idea is that it is like a high severity issue but only if you have very specific set of circumstances that is not common. ​ +  * an extension that is not commonly used 
- +  * a particular type of configuration ​that is used only in narrow specific circumstances 
-This category also may include issues that require special ​code or code pattern if such code or pattern is known to be used in industry ​code infrequently,​ or in old code, or otherwise is not very common. If the usage is common ​and frequent, the severity ​is high. +  * relies on old version of third-party library being used 
 +  ​* ​codeor patterns of code, that are known to be used infrequently 
 +  * code that is very old, or extremely uncommon (and so is used infrequently)
  
 This kind of issues usually will have a CVE number, unless the required configuration is particularly exotic to the point it's not practically usable. This kind of issues usually will have a CVE number, unless the required configuration is particularly exotic to the point it's not practically usable.
Line 28: Line 54:
 ===== Low severity ===== ===== Low severity =====
  
-This issue allows theoretical compromise of security, but practical attack is usually impossible or extremely hard due to common practices or limitations that are virtually always present. ​+This issue allows theoretical compromise of security, but practical attack is usually impossible or extremely hard due to common practices or limitations that are virtually always present ​or imposed
  
-This also includes problems with configuration,​ documentation and other non-code parts of the PHP project that may mislead users or cause them to make their system or their code less secure. ​+This also includes problems with configuration,​ documentationand other non-code parts of the PHP project that may mislead usersor cause them to make their systemor their code less secure. ​
  
-Issues that can trigger unauthorized actions that do not seem to be useful for any practical attack can also be categorized as low severity. ​+Issues that can trigger unauthorized actions that do not seem to be useful for any practical attack can also be categorized as low severity.
  
-Low severity ​issues ​usually do not need to have CVE andon PHP developer'​s discretionmay be disclosed publicly before the actual fix is released or available+Security ​issues, that are present only in unstable branches, belong ​to this categorytoo. Any branch that has no stable release, is per se not intended for the production use.
  
-===== Not a security issue =====+Low severity issues usually do not need to have CVE and may, at the discretion of the PHP developers, be disclosed publicly before the fix is released or available. ​
  
-We do not classify as a security issue any issue that requires the server to run specific code (unless it is a very simple frequently used pattern, such as starting a session, calling a constructor,​ throwing an exception, etc.) or call specific functions with specific arguments (unless such arguments commonly are supplied by the external user in a typical code - e.g. bug in input sanitizing functions). Same for any issue that requires specific non-common actions to be performed on the server to trigger it and usually can be performed only by a person that already has access to the server equal or superior to that the user running PHP server has. +===== Not a security issue =====
  
-We do not classify as a security issue bugs in debug functions or stemming from the use of debug functionality - such as xdebug, var_dump, etc. - or from enabling settings documented as not recommended for production - such as error reporting to output, etc. +We do not classify as a security issue any issue that: 
  
-We do not classify as security issue any problems stemming from using non-standard environment ​settings (including ​USE_ZEND_ALLOC=0), non-standard builds ​or settings or code that is already insecure ​or can be exploited in the same manner had the issue not been present. ​+  * requires invocation of specific code, which may be valid but is obviously malicious 
 +  * requires invocation of functions with specific arguments, which may be valid but are obviously malicious 
 +  * requires specific actions to be performed on the server, which are not commonly performed, or are not commonly permissible for the user (uid) executing PHP 
 +  * requires privileges superior to that of the user (uid) executing PHP 
 +  * requires the use of debugging facilities - ex. xdebug, var_dump 
 +  * requires the use of settings not recommended for production - ex. error reporting to output 
 +  * requires the use of non-standard environment ​variables - ex. USE_ZEND_ALLOC 
 +  * requires the use of non-standard builds ​- ex. obscure embedded platform, not commonly used compiler 
 +  * requires the use of code or settings known to be insecure
  
 ====== Handling issues ====== ====== Handling issues ======
Line 53: Line 87:
  
 Q. How do I report a security issue?\\ Q. How do I report a security issue?\\
-A. Please report it on http://​bugs.php.net,​ choosing type "​Security"​. This will automatically make it private. If for some reason you can not do that, or need to talk to somebody about PHP security issue that is not exactly a bug report, please write to security@php.net. ​+A. Please report it on http://​bugs.php.net,​ choosing type "​Security"​. This will automatically make it private. If for some reason you can not do that, or need to talk to somebody about PHP security issue that is not exactly a bug report, please write to security@php.net. ​
  
 Q. What do you consider a responsible disclosure?​\\ Q. What do you consider a responsible disclosure?​\\
security.1477805138.txt.gz · Last modified: 2017/09/22 13:28 (external edit)