Hi XOOPSers,
I'm trying to adapt a program that finds flaws in C/C++ code to PHP, so that we could have large scale automated (and somewhat dumb, but still worth IMHO) code security scans. The original app, Flawfinder, has a list of C/C++ functions that may create security issues, then a few functions to check whether the way a given 'flagged' function is used makes it safe or a problem.


I've built a list of functions (>3600, almost all at php.net) with short descriptions and links to the PHP Manual and will start picking the ones I find in PHP security articles, assigning arbitrary risk values and trying to prune false positives for them. My PHP security knowledge is very very small, so if you can contribute (like listing functions you think should be included and why), things could work a lot faster and better

So, in a nuts-hell , I need help to determine which core PHP functions bring security issues, what checks I could do to eliminate false-positives (i.e., safe ways of using flagged functions) and to rank the hits the program finds.

Sample output (for a pretty naive version, numbers between '[' and ']' would be risk rank, and you'll be able to limit scans for hits above rank X using command line options).

Hello,

For what I know, much of the time, the problems are coming from the code itself and not from the Php functions.

Hervé

Hi Herve,
Thanks for replying
What I`m trying to build is a scanner for bad code, using PHP functions as a start (but can and hopefully will go beyond that). So if you can share what kind of bad code I should look for, I`ll try to put it in As of now, things like "fopen($file)" are flagged, but it's still very far from useful.

Here`s a sample bit of output for a couple ranked functions:

<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_11' /> <ul> <h3> smarty/core/core.write_compiled_resource.php </h3>
<li> <a name='li_21' /> --- --- --- --- --- --- --- ---
:28: <br />
<b> [3] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.require-once.php'>require_once</a>: Includes and evaluates the specified file, once, during the execution
of the script. May disclose physical paths if file is not readable </i>
<pre> require_once(SMARTY_DIR . 'core' . DIRECTORY_SEPARATOR . 'core.write_file.php');
</pre>
</li>
</ul> </div>
<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_12' /> <ul> <h3> smarty/core/core.write_compiled_include.php </h3>
<li> <a name='li_22' /> --- --- --- --- --- --- --- ---
:72: <br />
<b> [3] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.require-once.php'>require_once</a>: Includes and evaluates the specified file, once, during the execution
of the script. May disclose physical paths if file is not readable </i>
<pre> require_once(SMARTY_DIR . 'core' . DIRECTORY_SEPARATOR . 'core.write_file.php');
</pre>
</li>
</ul> </div>
<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_13' /> <ul> <h3> mail/phpmailer/class.phpmailer.php </h3>
<li> <a name='li_23' /> --- --- --- --- --- --- --- ---
:520: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.fopen.php'>fopen</a>: Parameter ($queue_path . $msg_id . ".pqm") has a '$', fopen may be
exploitable if users can inject$queue_path . $msg_id . ".pqm". Use a
constant or a filename as argument to fopen. May disclose physical paths if
file is not readable </i>
<pre> $fp = @fopen($queue_path . $msg_id . ".pqm", "wb");
</pre>
</li>
<li> <a name='li_24' /> --- --- --- --- --- --- --- ---
:664: <br />
<b> [5] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.include-once.php'>include_once</a>: Included file parameter ($this->PluginDir . "class.smtp.php") has a
'$', may be allow execution of arbitrary code.. Use a constant or a
filename as argument to include_once. May disclose physical paths if file
is not readable </i>
<pre> include_once($this->PluginDir . "class.smtp.php");
</pre>
</li>
<li> <a name='li_25' /> --- --- --- --- --- --- --- ---
:1245: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.fopen.php'>fopen</a>: Parameter ($path) has a '$', fopen may be exploitable if users can
inject$path. Use a constant or a filename as argument to fopen. May
disclose physical paths if file is not readable </i>
<pre> if(!@$fd = fopen($path, "rb"))
</pre>
</li>
</ul> </div>
<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_14' /> <ul> <h3> snoopy.php </h3>
<li> <a name='li_26' /> --- --- --- --- --- --- --- ---
:983: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.file.php'>file</a>: Parameter ("/tmp/$headerfile") has a '$', file may be exploitable if
users can inject"/tmp/$headerfile". Use a constant or a filename as
argument to file. May disclose physical paths if file is not readable </i>
<pre> $result_headers = file("/tmp/$headerfile");
</pre>
</li>
<li> <a name='li_27' /> --- --- --- --- --- --- --- ---
:1193: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.fopen.php'>fopen</a>: Parameter ($file_name) has a '$', fopen may be exploitable if users
can inject$file_name. Use a constant or a filename as argument to fopen.
May disclose physical paths if file is not readable </i>
<pre> $fp = fopen($file_name, "r");
</pre>
</li>
</ul><div>

Still a long way to go... but might work
looks good in preview, then borks on submit
When I get home I'll upload it then re-post...

Hello ajaxbr,

Sorry to come back so later.
I have recovered a program I have found on internet. Php protector. It was made in C.

You will find, at this url, the source code and a compiled version for Windows (see the Release forlder).

It scans source code an try to find flaws.
Not a big program but it could help.

Bye,
Hervé