The document compares several alternative PHP implementations to the standard PHP interpreter and identifies security issues. It finds that while the alternatives like HipHop and Phalanger provide improved efficiency, they also introduce new security vulnerabilities compared to the standard PHP implementation. The most vulnerable is found to be Quercus on Resin, which exhibited issues like HTTP parameter contamination, path traversal vulnerabilities, and logic violations. Meanwhile, HipHop was found to most closely match standard PHP security and even exceed it in some areas. In conclusion, alternative PHP implementations improve performance but often at the cost of new security issues.

1. Not all PHP implementations are
equally useful
Sergey Scherbel
Positive Technologies
May 2012

2. Intro: PHP
A few words about PHP:
one of the most popular script languages
is quickly improved
has an adaptable syntax
there are a number of various CMS and CMF on PHP
At the same time:
efficiency of PHP interpreter is not high
But efficiency is critical for a great number of projects...

3. Intro: PHP
But you can create your own PHP! 

4. Alternative PHP implementations
There are several alternative PHP implementations. As a rule, these
implementations compile PHP scripts into a machine-code form.
Lets consider the following implementations:
Roadsend PHP (PHP -> C -> machine code)
Phalanger (PHP -> Microsoft IL)
Quercus on Resin (PHP -> JVM)
PHC (PHP -> C -> machine code)
HipHop (PHP -> C++ -> machine code)

5. Roadsend PHP
Roadsend PHP compiler allows you to create
executable files. It also includes embedded
MicroServer web server.
Variants of run:
the executable + web server + FastCGI = web application
the executable + MicroServer = web application

6. Phalanger
Phalanger is a PHP compiler for .NET.
supports full compatibility with .NET
is compatible with a great number of PHP applications
allows users to address .NET classes

7. Quercus on Resin
Resin is a web server and Java application server designed by Caucho
Technology.
The web server includes a special PHP implementation named Quercus.
The web server is released in 2 versions:
Professional: PHP is compiled into Java byte code
Open Source: PHP is executed by the interpreter

8. HipHop
HipHop is a source code translator designed by Facebook.
Features:
PHP is translated into a temporary C++ code
The temporary code is compiled via g++
The result includes the web server
./program -m server --port 8080
There is also HPHPi that is a PHP interpreter that allows script
execution without compilation.

9. HipHop
Files that are the result
of compilation
So, the size of an elementary PHP
script after compilation is ~ 30 MB!

10. HipHop
You can eliminate several types of vulnerabilities in case an application is
compiled but not interpret!
Local File Inclusion:
There is no way to connect arbitrary files
You can connect only the scripts that were included while compilation
Arbitrary File Loading:
PHP script loading does not result in desired effect – the script may
not be run
Possible exploitation – load a HTML page and then attack clients

11. What are the key items?
Environment vulnerabilities (embedded web server, etc.)
Parameter Handling
HTTP Parameter Pollution
HTTP Parameter Contamination
Cross-technology vulnerabilities (PHP + .NET = ???)
Vulnerabilities in PHP old versions (a legendary ones )

12. Environment vulnerabilities

13. Roadsend PHP MicroServer: Path Traversal
Embedded web server incorrectly handles file names.

14. Roadsend PHP MicroServer: Path Traversal
This is also possible 

15. Parameter Handling

16. HTTP Parameter Contamination
Various platforms and applications handle incorrect characters
in parameters in different ways.
The attack is used to bypass various filters (WAF).
We compare:
usual LAMP (a master platform)
Win7 + IIS 7.5 + Phalanger 3.0
Linux + HipHop
Linux + Quercus on Resin (different versions)

17. HTTP Parameter Contamination
We immediately find differences with LAMP platform!
Quercus on Resin Quercus on Resin
Request LAMP
3.1.12 4.0.26
Array Array Array
( (
(
test.php?a&b=1 [a] => [a] =>
[a&b] => 1
[b] => 1 [b] => 1
) ) )
Array Array Array
( ( (
test.php?a=1&b [a] => 1 [a] => 1 [a] => 1
[b] => [b] => [b] =>
) ) )

18. HTTP Parameter Contamination
Quercus on
IIS 7.5 +
Request LAMP HipHop Resin <=
Phalanger 3.0
4.0.26
Array Array
Array Array
( (
test.php?= ( (
[] => [] =>
) )
) )
Array Array
Array Array
( (
test.php?[]= ( (
[[]] => [0] =>
) )
) )
Array Array
( (
[a] => Array [a] => Array
test.php?a[][= ( Error 500 ( Error 500
[0] => [0] =>
) )
) )

19. HTTP Parameter Contamination
Error 500 in IIS 7.5 + Phalanger 3.0

20. HTTP Parameter Contamination
Error 500 in Quercus on Resin

21. HTTP Parameter Contamination
IIS 7.5 + Quercus on
Query LAMP HipHop
Phalanger 3.0 Resin 4.0.26
Array Array Array Array
( ( ( (
test.php?a%=1
[a%] => 1 [a%] => 1 [a%] => 1 [a�] =>
) ) ) )
Array Array Array Array
( ( ( (
test.php?a =1
[a_] => 1 [a ] => 1 [a_] => 1 [a ] => 1
) ) ) )
Array Array Array Array
( ( ( (
test.php?a.=1
[a_] => 1 [a_] => 1 [a_] => 1 [a_] => 1
) ) ) )
Array Array Array Array
( ( ( (
test.php?a%00b=1
[a] => 1 [a�b] => 1 [a] => 1 [a�b] => 1
) ) ) )
Only HipHop results coincide with the master platform.

22. Special practices for OS Windows
File functions in Phalanger incorrectly handle characters reserved for OS («:» +
another special character, i.e.: «|»).

23. Global variables
The possibility to set variable values directly is a flaw in web application
security.
<?php
include($path. ".inc");
?>
You can call the script directly and define an arbitrary value that results
in code execution (RFI, LFI).
register_globals option is responsible for a possibility to set variable
values directly
PHP 5.4.0 does not include register_globals option.

24. Global variables <= Quercus on Resin 4.0.26
Quercus does not include register_globals option (developers
name it a ‘black hole’ in security), an error occurs in case you
try to set it.
In case parameters are sent via POST method, they become
global!

25. Global variables <= Quercus on Resin 4.0.26

26. Rewriting of variables <= Quercus on Resin 4.0.26
Parameters sent in POST method, are handled incorrectly – it is possible
to rewrite variables in _SERVER array!

27. Rewriting of variables <= Quercus on Resin 4.0.26
Attack vector is rewriting of _SERVER array elements that include the
script absolute path.
As a rule, _SERVER array elements are used in script connection and
file system functions.
Rewriting of variables allows an attacker to conduct a number of
attacks, i.e. Local File Inclusion.
<?php
include($_SERVER["DOCUMENT_ROOT"]."header.php");
?>

28. Rewriting of variables <= Quercus on Resin 4.0.26
Rewriting of variables allows you to set an arbitrary value for
$_SERVER["DOCUMENT_ROOT"].

29. Loose comparison of variables of various types
Loose comparison is a comparison with ==
Loose comparison of parameters in PHP is implemented with several
features:

30. Loose comparison of variables of various types
A great number of PHP applications consider these features.
In case the behavior changes, results are not predictable…
We monitor if the features are actual…
and find some curious things 

31. Loose comparison of variables of various types
Script #1:
<?php
$xArray = array(TRUE, FALSE, 1, 0, -1, "1", "0", "-1", NULL, array(), "php", "");
foreach($xArray as $x) {
if($x == array()) { echo("TRUE"); } else { echo("FALSE"); }
echo("<br>");
}
?>
Script #2:
<?php
$xArray = array(TRUE, FALSE, 1, 0, -1, "1", "0", "-1", NULL, array(), "php", "");
foreach($xArray as $x) {
if(array() == $x) { echo("TRUE"); } else { echo("FALSE"); }
echo("<br>");
}
?>

32. == equals | Quercus on Resin
Script #1 (resin 3.1.12) Script #1 (resin 4.0.26) Script #2
TRUE FALSE FALSE TRUE
FALSE TRUE TRUE TRUE
1 FALSE TRUE TRUE
0 TRUE TRUE TRUE
-1 FALSE TRUE TRUE
"1" FALSE FALSE TRUE
"0" FALSE FALSE TRUE
"-1" FALSE FALSE TRUE
NULL TRUE TRUE TRUE
array() TRUE TRUE TRUE
"php" FALSE FLASE TRUE
"" FALSE FLASE TRUE
It is clear that the result of comparison depends on the sequence of compared variables.
This behavior is not usual for an ordinary PHP interpreter.
Also, the result of all comparisons of array() and 0 is true (TRUE), this is not usual for
an ordinary PHP interpreter.

33. == equals | Quercus on Resin
Then, we carried out the detailed analysis of loose comparisons for arrays with
variables of different types:
<?php
$test = …
$xArray = array(TRUE, FALSE, 1, 0, -1, "1", "0", "-1", NULL, array(), "php", "");
foreach($xArray as $x) {
if($test == $x) { echo("TRUE"); } else { echo("FALSE"); }
echo("<br>");
}
?>
In case an empty array is sent:
http://192.168.67.139:8080/test.php?test[]=
, its type is defined as array(1) { [0]=> string(0) "" } – and this is a usual behavior for PHP. The
comparison results for this type of parameters with parameters of other types are the most
interesting.

34. == equals | Quercus on Resin
$test = array() $test = array(0 => "")
$x = TRUE TRUE TRUE
$x = FALSE TRUE TRUE
$x = 1 TRUE TRUE
$x = 0 TRUE TRUE
$x = -1 TRUE TRUE
$x = "1" TRUE FALSE
$x = "0" TRUE FALSE
$x = "-1" TRUE FALSE
$x = NULL TRUE TRUE
$x = array() TRUE TRUE
$x = "php" TRUE FALSE
$x = "" TRUE TRUE
The results greatly differ from the expected ones.
Script behavior is not predictable, a number of vulnerabilities can occur!

35. Cross-technology vulnerabilities

36. open_basedir/safe mode bypass | Phalanger 3.0
Phalanger allows you to access .NET classes, that can lead to security
restriction bypass.
Defined security restrictions (i.e., disable_functions) are usually not
considered in .NET constructions:
<?php
$process = new DiagnosticsProcess();
$process->StartInfo->FileName = "cmd.exe";
$process->StartInfo->WorkingDirectory = "C:";
$process->StartInfo->Arguments = "/c ".$_GET["cmd"];
$process->Start();
$process->WaitForExit();
?>

37. Vulnerabilities in PHP old versions
Legendary vulnerabilities...

38. XSS in Error Message | Quercus on Resin | Roadsend
Special characters are not replaced by HTML equivalents in error
messages that means the an error message is an XSS.

39. File Loading: Path Traversal | Quercus on Resin 3.1.12
There is possible exploitation of Path Traversal because of incorrect
handling of loaded file name.
Example of HTTP query:
POST http://192.168.67.139:8080/test/file.php HTTP/1.1
…
Content-Type: multipart/form-data; boundary=---------------------------101412320927450
Content-Length: 228
-----------------------------101412320927450rn
Content-Disposition: form-data; name="test"; filename="../shell.php"rn
Content-Type: application/octet-streamrn
rn
<?phprn
phpinfo();rn
?>rn
-----------------------------101412320927450--rn

40. File Loading: Null Byte | Quercus on Resin
Incorrect file name handling that is loaded on the server an attacker
can discard postfixes (i.e., .jpg) with NULL byte.

41. File Loading: Null Byte | Quercus on Resin
As a result, Extension Checks Bypass is possible.
<?php
if(isset($_FILES["image"])) {
if(!preg_match("#.(jpg|png|gif)$#", $_FILES["image"]["name"])) {
die("Hacking attempt!");}
copy($_FILES["image"]["tmp_name"],
"./uploads/".$_FILES["image"]["name"]
);
}
?>

42. Results
All third-party implementations are more efficient, have more features,
but the back side is security.
Environmental vulnerabilities
HTTP Parameter Contamination
Path Traversal
logic violations
etc
The most vulnerable implementation is Quercus on Resin.
The most secure implementation is HipHop. Its results not only coincide
with the master platform but even exceed standard PHP implementation.

43. Thank you for your
attention!
Questions?