The problem is not that this "feature" exists, the problem is that, when any parameters are passed to your code from the outside, they should be checked before they are used. And under NO circumstances should you use an externally passed parameter in an include statement.
I don't know what you were running, but PHPNuke just plugged a large security hole because of this. Oh, and BTW, even apache doesn't have permission to write to most of my site :) Rich Cloutier SYSTEM SUPPORT SERVICES President, C*O www.sysupport.com ----- Original Message ----- From: "Joseph E. Mainusch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, May 04, 2002 4:48 PM Subject: I've been 0wned! > How humiliating! > > My website is running php, which I discovered, much to my chagrin, installs by default with its directive "allow_url_fopen" set to "On". From the description in the php.ini file, this directive determines "Wheter to allow trating URLs like http:... or ftp:... like files". The script kiddy who got me apparantly used this security chasm (not just a hole) to execute arbitrary commands on my system, with apache's privileges, the end result of which was the replacement of my index.php file with his own. (http://www.mainusch.net/defaced.html). > > Why on earth would PHP ship with all of its security doors completely open?!?!? Arrrghhhh! > > It appears this was all this particular kiddy was able to do, which was easy enough to fix. I tightened up security in general after this, but now I have that "oh no, I don't want to have to reinstall the whole system just to be on the safe-side" feeling again. > > -- > Joseph E. Mainusch > 43A East Ridge Road > Merrimack, NH 03054 > +1 (603) 560 6317 > > ***************************************************************** > To unsubscribe from this list, send mail to [EMAIL PROTECTED] > with the text 'unsubscribe gnhlug' in the message body. > ***************************************************************** > ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
