PHP :: Bug #15187 :: PHP parses untrusted documents (or something like that ;P)

Bug #15187

PHP parses untrusted documents (or something like that ;P)

Submitted:

2002-01-23 15:30 UTC

Modified:

2002-01-23 15:52 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

tozz at kijkt dot tv

Assigned:

Status:

Not a bug

Package:

Scripting Engine problem

PHP Version:

4.1.1

OS:

Linux 2.4

Private report:

CVE-ID:

None

View Developer Edit

[2002-01-23 15:30 UTC] tozz at kijkt dot tv

Hello,

I think there is a pretty large security issue in PHP. E.g. we have 2 servers, we call server 1 'embrace', and name server 2 'kossy'.

on embrace we create a file index.php:
<? include("http://kossy/issue.php"); ?>

on kossy we create a file issue.php:
<? system($cmd); ?>

well, if we now type: http://embrace/index.php?cmd=ls we see the 'ls' output from kossy. This is the way it should be.. BUT, when we disable PHP op kossy we get a rather nasty bug (imho).

If we type http://embrace/index.php?cmd=ls again (where kossy has no PHP support) embrace includes the PHP source code from kossy and then parses the file, which will give us the 'ls' result on embrace.

This can be used for numerous attacks. And I PHP should only include parsed PHP or non-PHP files from external (http://) links.

Bye,
Tozz

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-01-23 15:36 UTC] jan@php.net

I call it a user error. no external sources are to be trusted with no error/security/integrity check.

[2002-01-23 15:36 UTC] sesser@php.net

RTFM!

Include is for including PHP scripts into your PHP script.
If you only want to include parsed output then do not use
include.

[2002-01-23 15:37 UTC] sander@php.net

This is bad programming. If you want to avoid this, you should NOT use include() for stuff on other servers, but fopen() or similar instead (which doesn't parse the data).

BTW: the 'bug' in issue.php can be avoided by proper use of register_globals, safe-mode and/or normal (unix) file permissions.

[2002-01-23 15:42 UTC] tozz at kijkt dot tv

It's true dat this is a 'user error', however there are scripts (e.g. phpnuke has this problem) that allows a user to enter the URL that will be included. 

So, your right if a script is secure you wont deal with this bug.. but I still see it as a security issue

[2002-01-23 15:49 UTC] rasmus@php.net

We can't stop developers from shooting themselves in the foot.  If you want to include a remote file without parsing it locally, you would use: 
readfile("http://domain.com/filename");
You could of course also just use the allow_url_fopen directive in your php.ini file if you really want to turn this off.
If you removed all the functions that developers could use to shoot themselves in the foot with there wouldn't be much left to do interesting things.

[2002-01-23 15:52 UTC] sesser@php.net

speaking of phpnuke...

this security problem in phpnuke was reported a while back
to its developers. if they havent fixed it by now blame them.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Nov 06 19:00:01 2025 UTC