On 3/24/06, Chris Shiflett <shiflett@xxxxxxx> wrote:
> Merlin wrote:
> > I am wondering if I am opening a potential security risk by
> > including files on remote servers.
>
> Yes.
>
> > I am doing an include ('http:/www.server.com/file.html') inside
> > a php script of mine to seperate content from function. Content
> > is produced by a friend of mine and I do not want to grant
> > access to my server to him.
>
> You already are. You're basically instructing PHP to evaluate file.html
> as PHP code, so your friend can execute any PHP code on your server.
>
> If you only want to display file.html, use readfile(). This reduces your
> risk from remote code injection to cross-site scripting (XSS).
>
> > If including <? phpinfo(); ?> into his file, I do get the info
> > of php and I believe it is the phpinfo of my server.
>
> If he's executing phpinfo() on his server, it's going to describe his
> server. If he's outputting:
>
> <?php phpinfo(); ?>
>
> Then you're going to execute that when you include it.
>
> > That lets me believe that he could write now any php code which
> > would be ececuted on my server. Is that right? And if yes, what
> > can I do against it?
>
> Use readfile(), but remember that this allows him to inject anything he
> likes into the content you send users, so your passing your risk onto
> your users.
>
> Chris
>
If you don't trust him enough to give him access to your server, why
are you letting him dynamically include code?
--
Anthony Ettinger
Signature: http://chovy.dyndns.org/hcard.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
