Well, of course this was never ment to protect you from inside attacks. But if
you also disable eval() then I believe it's pretty much harder to create a
successfull attack via chmod-777-write-exec procedure (from outside).
This patch is ment to prevent accidental DOS attacks by recursive inclus
Bostjan Skufca @ domenca.com wrote:
> From system security's standpoint:
>
> $content = file_get_contents('http://www.domain.net/file.inc');
> echo $content;
> ?>
>
> is OK, but
>
> include('http://www.domain.net/file.inc');
> ?>
>
> is NOT!
>
> Nice patch, Tom, will probably use it myself too...
From system security's standpoint:
http://www.domain.net/file.inc');
echo $content;
?>
is OK, but
http://www.domain.net/file.inc');
?>
is NOT!
Nice patch, Tom, will probably use it myself too...
regards,
Bostjan
On Wednesday 02 March 2005 11:54, Markus Mayer wrote:
> Correct me if I'm wrong
Correct me if I'm wrong, but isn't this already available in the standard PHP?
In the php.ini file, you can refuse the inclusion of url's :
allow_url_fopen = Off
I think also Hardened PHP offers additional similar protections.
Markus
On Wednesday 02 March 2005 08:57, Tom Z. Meinlschmi
Hi,
I've experienced a lot of attacks in my hosting server due to silly users and
their scripts with holes. So I prepared this little patch to 4.3.10, which
disables using url wrappers in include/include_once/require/require_once
statemens (switchable in php.ini). See readme.security from patch
p
5 matches
Mail list logo
