RE: Security Issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



allow_url_include is (or should be) disabled by default.

http://us2.php.net/manual/en/filesystem.configuration.php#ini.allow-url-
include

I can't think of one good reason to ever enable this, it would be a
security issue no matter how you slice it...

-----Original Message-----
From: Igor Escobar [mailto:titiolinkin@xxxxxxxxx] 
Sent: Tuesday, June 08, 2010 10:11 AM
To: richgray@xxxxxxxxx
Cc: <php-general@xxxxxxxxxxxxx>
Subject: Re:  Security Issue

Hey Richard,

I'll find more about this parameter allow_url_include, thank you!


Regards,
Igor Escobar
Systems Analyst & Interface Designer

+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)





On Mon, Jun 7, 2010 at 5:26 PM, richard gray <rich@xxxxxxxxxxxx> wrote:

> On 07/06/2010 20:00, Igor Escobar wrote:
>
>> PHP Injection is the technical name given to a security hole in PHP
>> applications. When this gap there is a hacker can do with an external
code
>> that is interpreted as an inner code as if the code included was more
a
>> part
>> of the script.
>>
>> // my code...
>> // my code...
>> include ('http://..../externalhackscript.txt');
>> //my code...
>> //my code..
>>
> can you not switch off remote file includes in php.ini?
> This will stop include/require from a remote host..
> i.e. /allow_url_include = Off in php.ini
>
> HTH
> Rich
> /
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux