Re: patch to php 4.3.10 to disabling URL wrappers in include like statements

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Well, of course this was never ment to protect you from inside attacks. But if 
you also disable eval() then I believe it's pretty much harder to create a 
successfull attack via chmod-777-write-exec procedure (from outside).

This patch is ment to prevent accidental DOS attacks by recursive inclusion 
(local users) and to in some degree prevent the execution of external code 
via GET/POST variable exploit (remote attack).

But though it is not a complete assessment of security risk it is a step 
towards right direction - one can apply it and start thinking about better 
solution/other risks etc.

regards,
Bostjan


On Wednesday 02 March 2005 20:09, Richard Lynch wrote:
> Bostjan Skufca @ domenca.com wrote:
> > From system security's standpoint:
> >
> > <?php
> > $content = file_get_contents('http://www.domain.net/file.inc');
> > echo $content;
> > ?>
> >
> > is OK, but
> >
> > <?php
> > include('http://www.domain.net/file.inc');
> > ?>
> >
> > is NOT!
> >
> > Nice patch, Tom, will probably use it myself too...
>
> I'll be interested to see if it works in practice...
> [see previous post of mine]
>
> Ya never know.
>
> I still haven't figured out why spam harvesters don't find even the
> simplest obfuscations like %40 and &#64;
>
> But I guess if you come up with a billion fish every time you cast your
> line, you don't worry about buying better bait.
>
> I *suspect* this situation is different, in that you will have people
> actively trying to alter their attacks to bypass this blockage, and it's
> pretty simple to bypass.
>
> But, perhaps, it will turn out to be that there are so many unpatched
> wide-open places they can find that they'll never bother you again.
>
> I sure hope so, for your sake!
>
> --
> Like Music?
> http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux