iniscan
iniscan copied to clipboard
psecio
incorrect results / false positives
I guess there are some incorrect results. I use this php.ini and PHP 7.0 with iniscan version 3.6.4.
This is the output:
Status | Severity | PHP Version | Current Value | Key | Description
------------------------------------------------------------------------------------------
FAIL | ERROR | 5.2.0 | 1 | session.cookie_httponly | Setting session cookies to 'http only' makes them only readable by the browser
FAIL | ERROR | 4.0.4 | 1 | session.cookie_secure | Cookie secure specifies whether cookies should only be sent over secure connections.
FAIL | WARNING | 5.5.2 | 1 | session.use_strict_mode | Strict mode prevents uninitialized session IDs in the built-in session handling.
FAIL | ERROR | 4.0.3 | 0 | allow_url_fopen | Do not allow the opening of remote file resources ('Off' recommended)
As you can read in the php docs the current session settings are secure. allow_url_fopen is also disabled. Or is the column Current value the recommended value?
It seems the determination of default values is incorrect, because the value of session.cookie_httponly is "". Same for other values.
Do you check the values 1, 0, Off, On, "1", "0" or "" for specific settings?
Hmm, interesting - I'll have to look into this one further to see what's happening here. There's "casting" functionality in the Psecio\Iniscan\Cast class that tries to normalize out the 1/0/Off/On/etc values to the same result but maybe there's something getting lost in the shuffle there with some of the PHP 7 updates.
@enygma The cast is correct. It seems more an error with the "current value" column. See my example for "allow_url_fopen".
The real value:
The result of iniscan:
Current value shows "0" but is definitly 1 ("On").
The bug is here: https://github.com/psecio/iniscan/blob/master/src/Psecio/Iniscan/Rule.php#L369 Instead of $test->value which returns https://github.com/psecio/iniscan/blob/master/src/Psecio/Iniscan/rules.json#L148 should be $ini[$test->key] are set.
Hmm, trying to reproduce this one but it seems that things are reporting back correctly on a PHP 7.0 configuration file. I've tried:
allow_url_fopen = Off
allow_url_fopen = 0
Both seem to work as expected:
PASS | ERROR | 4.0.3 | 0 | allow_url_fopen | Do not allow the opening of remote file resources ('Off' recommended)
Is there something I'm missing to reproduce this issue?
(discard warning about session.cookie_httponly, it was my mistake, sorry about the noise)
@enygma Sorry for the late response!
I tried it also with my iniscan Docker container and this ini file.
Here are the steps to reproduce:
cd /tmp
curl -o php.ini https://gist.githubusercontent.com/tommy-muehle/4a59294d1799c19254780788f1f6f1e6/raw/e6133995df411ecf158892d338512a11949863d6/php.ini
docker run --rm -ti -v $(pwd):/tmp dockerizedphp/iniscan scan --fail-only --path=/tmp/php.ini
Inside the container runs PHP 7.1 if this is necessary.
For upload_max_filesize (16M -> 2M), post_max_size (24M -> 8M) and memory_limit (256M -> 128M) it returns me the default value and not the current value. For allow_url_fopen it cast me On to 0. And for disable_functions it displays and empty value instead of pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,.
Also for session.use_strict_mode the value is 0 but is displays 1, however it still detect it as failed so the cast occurs after.
Happening on PHP 7.4 if that matters.
