Hi Padraic, On Sat, Feb 21, 2015 at 5:18 PM, Pádraic Brady <padraic.br...@gmail.com> wrote:
> Does this have any impact on allow_url_include or has that setting > been retained? > > Yes, folk do indeed try to do this, for example hitting up Google: > > http://www.quora.com/Why-do-include-and-require_once-not-work-with-remote-files > allow_url_include=Off is kept. Attacker can easily place *.php files on remote servers. I guess PHP also allows php://input without it, doesn't it? php://input allows script execution via post. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
