PHP :: Request #25461 :: include insecurity

Request #25461	include insecurity
Submitted:	2003-09-09 19:48 UTC	Modified:	2003-09-10 22:03 UTC
From:	ashley at netcraft dot com dot au	Assigned:
Status:	Closed	Package:	Feature/Change Request
PHP Version:	4.3.3	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-09-09 19:48 UTC] ashley at netcraft dot com dot au

Description:
------------
I think it's highly insecure that 'include' and 'require' support http:// url's by default.  Why would you want to execute arbitrary code from another web page?  I have seen many sites where they are exploitable because they do

require $page. ".php";

Although this is bad programming, it's still insecure to allow http url's by default.  Also, I'd strongly suggest never using http includes unless you control the DNS for the domain of the site you are connecting to.  Otherwide the hostname could be changed over to a different page.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-09-09 21:02 UTC] sniper@php.net

Search php.ini-dist (or php.ini-recommended) for "allow_url_fopen" directive.

[2003-09-09 21:17 UTC] ashley at netcraft dot com dot au

I know there's an option for it, but it should come with a warning that it also enables url's on include/require.

[2003-09-10 03:05 UTC] derick@php.net

from php.ini:

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.


From the manual:

allow_url_fopen = On
allow_url_fopen  boolean
This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers.

[2003-09-10 22:03 UTC] ashley at netcraft dot com dot au

No point in this.  I know it's in the config file.  I know it's in the manual.  I still see it as insecure and there should be a security warning.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Aug 01 13:00:03 2025 UTC