ID: 15187
Updated by: sesser
Reported By: [EMAIL PROTECTED]
Status: Bogus
Bug Type: Scripting Engine problem
Operating System: Linux 2.4
PHP Version: 4.1.1
New Comment:
speaking of phpnuke...
this security problem in phpnuke was reported a while back
to its developers. if they havent fixed it by now blame them.
Previous Comments:
------------------------------------------------------------------------
[2002-01-23 15:49:50] [EMAIL PROTECTED]
We can't stop developers from shooting themselves in the foot. If you
want to include a remote file without parsing it locally, you would
use:
readfile("http://domain.com/filename";);
You could of course also just use the allow_url_fopen directive in your
php.ini file if you really want to turn this off.
If you removed all the functions that developers could use to shoot
themselves in the foot with there wouldn't be much left to do
interesting things.
------------------------------------------------------------------------
[2002-01-23 15:42:16] [EMAIL PROTECTED]
It's true dat this is a 'user error', however there are scripts (e.g.
phpnuke has this problem) that allows a user to enter the URL that will
be included.
So, your right if a script is secure you wont deal with this bug.. but
I still see it as a security issue
------------------------------------------------------------------------
[2002-01-23 15:37:30] [EMAIL PROTECTED]
This is bad programming. If you want to avoid this, you should NOT use
include() for stuff on other servers, but fopen() or similar instead
(which doesn't parse the data).
BTW: the 'bug' in issue.php can be avoided by proper use of
register_globals, safe-mode and/or normal (unix) file permissions.
------------------------------------------------------------------------
[2002-01-23 15:36:30] [EMAIL PROTECTED]
RTFM!
Include is for including PHP scripts into your PHP script.
If you only want to include parsed output then do not use
include.
------------------------------------------------------------------------
[2002-01-23 15:36:28] [EMAIL PROTECTED]
I call it a user error. no external sources are to be trusted with no
error/security/integrity check.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/?id=15187
Edit this bug report at http://bugs.php.net/?id=15187&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
