New PHP Interpreter Finds XSS, Injection Holes

← Back to Stories (view on slashdot.org)

New PHP Interpreter Finds XSS, Injection Holes

Posted by kdawson on Friday June 19, 2009 @03:22AM from the double-edged-sword dept.

rkrishardy writes "A group of researchers from MIT, Stanford, and Syracuse has developed a new program, named 'Ardilla,' which can analyze PHP code for cross-site scripting (XSS) and SQL injection attack vulnerabilities. (Here is the paper, in PDF, and a table of results from scanning six PHP applications.) Ardilla uses a modified Zend interpreter to analyze the code, trace the data, and determine whether the threat is real or not, significantly decreasing false positives." Unfortunately, license issues prevent the tool in its current form from being released as open source.

9 of 66 comments (clear)

Min score:

Reason:

Sort:

Fixed it for you by techprophet · 2009-06-19 03:24 · Score: 4, Informative

New PHP Interpreter Finds XSS, Injection Holes
Fixed it for you.
Find X? by eldavojohn · 2009-06-19 03:27 · Score: 4, Funny

New PHP Interpreter Findx XSS, Injection Holes
New PHP Interpreter Finds XSS, Injection Holes
Fixed it for you.
Clearly the title was trying to illustrate the PHP interpreter's ability to solve the pythagorean theorem.

--
My work here is dung.
1. Re:Find X? by eldavojohn · 2009-06-19 03:36 · Score: 5, Funny
  
  Clearly the title was trying to illustrate the PHP interpreter's ability to solve the pythagorean theorem [mit.edu].
  I don't need PHP for that! Besides, the pythagorean theorem doesn't have X, just a, b, and c.
  
  a^2 + b^2 = c^2
  I see you prefer short, nondescript variable names for your algorithms. I pity the person who has to maintain that bit of code. What is a? What is b? What is c?
  
  I ascribe to a more Knuth-y self descriptive code and prefer the Pythagorean theorem to look more like:
  
  sideAdjacentToRightAngle^2 + otherSideAdjacentToRightAngle^2 = sideOppositeRightAngle^2
  Or maybe I'm just being a smartass? It's so hard to tell with developers these days ...
  
  --
  My work here is dung.
2. Re:Find X? by MillionthMonkey · 2009-06-19 03:56 · Score: 3, Funny
  
  I ascribe to a more Knuth-y self descriptive code and prefer the Pythagorean theorem to look more like: sideAdjacentToRightAngle^2 + otherSideAdjacentToRightAngle^2 = sideOppositeRightAngle^2 Or maybe I'm just being a smartass? It's so hard to tell with developers these days ...
  Would you want to stare at a wall of code with otherSideAdjacentToRightAngles and sideOppositeRightAngles and sideAdjacentToRightAngles all over the place?
  
  You could just go all the way and call them II11011I, I1IIOI1I, and II110I1I. At least call one of them "hypotenuse", christ.
holy smokes batman by sublimino · 2009-06-19 03:29 · Score: 3, Interesting

From the results paper: "Part of Ardilla's implementation depends on modifications to the open-source Zend interpreter...made (for a different purpose) by a student while he was an intern at IBM. We have since made many more modifications, but since the original small diffs are owned by IBM, we cannot release either those original modifications or our later work that builds on them...It would be valuable for someone to re-implement the original changes, so that we could release our entire system as we would prefer. "
How would these changes be "re-implemented" - would the code have to be re-engineered, or would a trawl through the original code (patching in changes verbatim) be acceptable? Otherwise, would somebody have to find alternative syntax for implementing the same functionality? Barrel of worms methinks.
Probably for the best by JNSL · 2009-06-19 03:29 · Score: 3, Insightful

Although it would be nice to be able to use this, I'd imagine there'd be lots of damage following from widespread release of this program without a quick turnaround on fixing vulnerable sites.
This somehow ... by xmff · 2009-06-19 03:32 · Score: 3, Insightful

... reminds me on Perl's taint mode where all external input data is traced until it was explicitly checked through a regular expression or similar.
Just teach people how to code by loufoque · 2009-06-19 03:53 · Score: 3, Insightful

Just teach people how to code. When a function or subsystem expects a certain format as a precondition on its input, you actually have to make sure you enforce that precondition (in the case of PHP applications, you simply need to apply trivial conversions such as htmlspecialchars() or mysql_escape_char() depending on whether you want to use that input to generate HTML or XML or to include it into a MySQL request -- this is enough to get rid of XSS and SQL injections completely).
There would be no need for such tools if PHP developers actually were software engineers rather than kiddies surfing on the web hype that barely understand the tools they're manipulating.
DarkReading! by jginspace · 2009-06-19 03:58 · Score: 3, Informative

TFA is just blog spam. See source.
And I wonder, are the maintainers of schoolmate and webchess now frantically patching their code? None of the articles gives dates - although the PDF is more than 18 months old.