Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements
Well, of course this was never ment to protect you from inside attacks. But if
you also disable eval() then I believe it's pretty much harder to create a
successfull attack via chmod-777-write-exec procedure (from outside).
This patch is ment to prevent accidental DOS attacks by recursive inclusion
(local users) and to in some degree prevent the execution of external code
via GET/POST variable exploit (remote attack).
But though it is not a complete assessment of security risk it is a step
towards right direction - one can apply it and start thinking about better
solution/other risks etc.
regards,
Bostjan
On Wednesday 02 March 2005 20:09, Richard Lynch wrote:
Bostjan Skufca @ domenca.com wrote:
From system security's standpoint:
?php
$content = file_get_contents('http://www.domain.net/file.inc');
echo $content;
?
is OK, but
?php
include('http://www.domain.net/file.inc');
?
is NOT!
Nice patch, Tom, will probably use it myself too...
I'll be interested to see if it works in practice...
[see previous post of mine]
Ya never know.
I still haven't figured out why spam harvesters don't find even the
simplest obfuscations like %40 and #64;
But I guess if you come up with a billion fish every time you cast your
line, you don't worry about buying better bait.
I *suspect* this situation is different, in that you will have people
actively trying to alter their attacks to bypass this blockage, and it's
pretty simple to bypass.
But, perhaps, it will turn out to be that there are so many unpatched
wide-open places they can find that they'll never bother you again.
I sure hope so, for your sake!
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements
Correct me if I'm wrong, but isn't this already available in the standard PHP? In the php.ini file, you can refuse the inclusion of url's : allow_url_fopen = Off I think also Hardened PHP offers additional similar protections. Markus On Wednesday 02 March 2005 08:57, Tom Z. Meinlschmidt wrote: Hi, I've experienced a lot of attacks in my hosting server due to silly users and their scripts with holes. So I prepared this little patch to 4.3.10, which disables using url wrappers in include/include_once/require/require_once statemens (switchable in php.ini). See readme.security from patch patch is there: http://orin.meinlschmidt.org/~znouza/php_patch.txt comments are welcome /tom -- === Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer NetCache gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID: 66AB6F56 GCS d-(?) s: a- C++ ULHISC*$ P+++ L+++$ E--- W+++$ N++(+) !o !K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G e+++ h r+++ z+++@ === -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements
From system security's standpoint:
?php
$content = file_get_contents('http://www.domain.net/file.inc');
echo $content;
?
is OK, but
?php
include('http://www.domain.net/file.inc');
?
is NOT!
Nice patch, Tom, will probably use it myself too...
regards,
Bostjan
On Wednesday 02 March 2005 11:54, Markus Mayer wrote:
Correct me if I'm wrong, but isn't this already available in the standard
PHP? In the php.ini file, you can refuse the inclusion of url's :
allow_url_fopen = Off
I think also Hardened PHP offers additional similar protections.
Markus
On Wednesday 02 March 2005 08:57, Tom Z. Meinlschmidt wrote:
Hi,
I've experienced a lot of attacks in my hosting server due to silly users
and their scripts with holes. So I prepared this little patch to 4.3.10,
which disables using url wrappers in
include/include_once/require/require_once statemens (switchable in
php.ini). See readme.security from patch
patch is there:
http://orin.meinlschmidt.org/~znouza/php_patch.txt
comments are welcome
/tom
--
=
== Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer
NetCache gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID:
66AB6F56 GCS d-(?) s: a- C++ ULHISC*$ P+++ L+++$ E--- W+++$
N++(+) !o !K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G
e+++ h r+++ z+++@
=
==
--
Best regards,
Bostjan Skufca
system administrator
Domenca d.o.o.
Phone: +386 4 5835444
Fax: +386 4 5831999
http://www.domenca.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements
Bostjan Skufca @ domenca.com wrote:
From system security's standpoint:
?php
$content = file_get_contents('http://www.domain.net/file.inc');
echo $content;
?
is OK, but
?php
include('http://www.domain.net/file.inc');
?
is NOT!
Nice patch, Tom, will probably use it myself too...
I'll be interested to see if it works in practice...
[see previous post of mine]
Ya never know.
I still haven't figured out why spam harvesters don't find even the
simplest obfuscations like %40 and #64;
But I guess if you come up with a billion fish every time you cast your
line, you don't worry about buying better bait.
I *suspect* this situation is different, in that you will have people
actively trying to alter their attacks to bypass this blockage, and it's
pretty simple to bypass.
But, perhaps, it will turn out to be that there are so many unpatched
wide-open places they can find that they'll never bother you again.
I sure hope so, for your sake!
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements
Hi, I've experienced a lot of attacks in my hosting server due to silly users and their scripts with holes. So I prepared this little patch to 4.3.10, which disables using url wrappers in include/include_once/require/require_once statemens (switchable in php.ini). See readme.security from patch patch is there: http://orin.meinlschmidt.org/~znouza/php_patch.txt comments are welcome /tom -- === Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer NetCache gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID: 66AB6F56 GCS d-(?) s: a- C++ ULHISC*$ P+++ L+++$ E--- W+++$ N++(+) !o !K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G e+++ h r+++ z+++@ === -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
