RE: problem with url_fopen on free hosting environment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I might be wrong but I think your problem goes beyond allowing URLs in
fopen. A user could just as well use cURL to build a self-calling script.
You might need to put a filter on apache on the number of requests (what's
the version of apache?).

The usual problem with allowing URLs in fopen and in "include" or "require"
is that users do some stupid stuff like include($_GET['script'].'.php') and
get a myriad of remote code executed on your server (usually used by
spammers to send email using your server).

However, to secure a php installation on a per-domain basis you can try
http://www.hardened-php.net/suhosin. I can't remember if it covers the URL
stuff, but you can enable/disable PHP functions on a per-domain basis
(apache virtual host configuration) which you will likely need if you are
the manager for a shared hosting enviroment.

Rob


Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308
| TEL 954-607-4207 | FAX 954-337-2695
Email: info@xxxxxxxxxxxxx  | MSN Chat: best@xxxxxxxxxxxxx  |  SKYPE:
bestplace |  Web: http://www.bestplace.biz | Web: http://www.seo-diy.com
> -----Original Message-----
> From: Samuel Vogel [mailto:samy-delux@xxxxxx]
> Sent: Tuesday, November 27, 2007 6:13 PM
> To: php-general
> Subject:  problem with url_fopen on free hosting environment
> 
> Hey guys,
> 
> I am running an free hosting environment and do have some trouble with
> allow_url_fopen. Right now we prohibit this, but it's requested by many
> of our users.
> The problem is something like to following script, which calls itself
> over and over again, being run on our server:
> <?php
> while(true)
>         file_get_contents("http://domain.com/crash.php";);
> ?>
> 
>  From the outside our anti-dos measures would take effect, but not when
> the requests are comming from our own server.
> We have max_execution_time set to 5, but this does not take effect on
> this script. It just calls itself until the server queue is full. We
> run
> mod_security on our servers, which seems to ease the situation
> somewhat.
> But some time sooner or later apache crashes and is restarted by monit.
> 
> We would like to enable allow_url_fopen, but under those circumstances
> this is not possible.
> Could anybody please give me a hint on how to resolve this situation?
> 
> Regards,
> Samy
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux