Re: Security Issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes and scrubbing the input to ensure the field used for this URL rejects certain characters or does sanity checking on it would also be another suggestion. Turning this off would fix remote include requests. But still need to check for people requesting local files. Should never take user input and put it directly into include or shell execs or anything.

On Jun 8, 2010, at 11:55 AM, "David Stoltz" <Dstoltz@xxxxxxx> wrote:

allow_url_include is (or should be) disabled by default.

http://us2.php.net/manual/en/filesystem.configuration.php#ini.allow-url-
include

I can't think of one good reason to ever enable this, it would be a
security issue no matter how you slice it...

-----Original Message-----
From: Igor Escobar [mailto:titiolinkin@xxxxxxxxx]
Sent: Tuesday, June 08, 2010 10:11 AM
To: richgray@xxxxxxxxx
Cc: <php-general@xxxxxxxxxxxxx>
Subject: Re:  Security Issue

Hey Richard,

I'll find more about this parameter allow_url_include, thank you!


Regards,
Igor Escobar
Systems Analyst & Interface Designer

+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)





On Mon, Jun 7, 2010 at 5:26 PM, richard gray <rich@xxxxxxxxxxxx> wrote:

On 07/06/2010 20:00, Igor Escobar wrote:

PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external
code
that is interpreted as an inner code as if the code included was more
a
part
of the script.

// my code...
// my code...
include ('http://..../externalhackscript.txt');
//my code...
//my code..

can you not switch off remote file includes in php.ini?
This will stop include/require from a remote host..
i.e. /allow_url_include = Off in php.ini

HTH
Rich
/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux