Test not passing: Emulator testing for PHP CGI remote code execution CVE-2012-1823 about glastopf HOT 18 CLOSED

Assigned to Enrico as he is the original developer of this module

from glastopf.

It could be a problem in the sandbox module, but I will look on it during this week.

from glastopf.

Hi Johnny, try to test the following snippet inside the apd_sandbox.py

"""
php5", "sandbox/apd_sandbox.php", "files/" + script]
"""

Create a test php /(test.php) file with the following content:

"""

"""
and run the sandbox from command line

php5 sandbox/apd_sandbox.php files/test.php

the expected output result is the string "testing". Otherwise there is an error inside the php sandbox installation from my point of view.

from glastopf.

Uhm, yes. you are right. Trying to figure out the exact problem. Unsure about the error message, does it mean that one have to have that exact version of Zend Engine API installed, or?

jkv@obelix:~/glas-dev/glastopf$ php5 sandbox/apd_sandbox.py files/test.php

Advanced PHP Debugger (APD) requires Zend Engine API version 220090626.
The Zend Engine API version 220100525 which is installed, is newer.
Contact George Schlossnagle at http://pear.php.net/ for a later version of Advanced PHP Debugger (APD).

from glastopf.

Johnny, APD is no longer working with your Zend API version. But I ripped it apart and build my own function replacer: https://github.com/glastopf/BFR Make sure to change your php.ini after building it.

from glastopf.

I think there is another issue inside the test_emulators.py in the function test_rfi_emulator.
The injected php file from http://1durch0.de/test_file.txt is:
"""

"""

the PHP sandbox should evaluate it and return the static string inside the echo command, but the assert is:
"""
self.assertIsNot(self.event.response, "test successful")
"""

it should be:
"""
self.assertEqual(self.event.response, "test successful")
"""

or not?

from glastopf.

Heh yes you are right.

from glastopf.

@glaslos Any chance you will fix/replace the APD in glastopf with you own sometime soon? :)

from glastopf.

There is no APD in Glastopf :)

from glastopf.

Ok, yes. you know... the whole function replace thingy stuff! :)

from glastopf.

You just have to install BFR instead of APD dude :)

from glastopf.

Oh my gawd. Now it makes sense - no wonder the test output from the CI server kept giving me the creeps.

from glastopf.

@glaslos the point about manually editing php.ini is missing from the install docs, yes?

from glastopf.

No, its just you :)

Modify your php.ini accordingly. Add:
zend_extension = /usr/lib/php5/20100525+lfs/bfr.so

from glastopf.

Hehe, i was talking about the docs for glaspot: https://github.com/glastopf/glastopf/blob/master/docs/source/installation/installation_ubuntu.rst

from glastopf.

Heh, you are right.

from glastopf.

I added the BFR part when I updated the docs, but I guess that the php.ini part got left behind.

from glastopf.

Created a new build environment with the instruction from Matthias, and everything works fine after all.

from glastopf.