PHP :: Bug #41156 :: url_fopen default value

Bug #41156	url_fopen default value
Submitted:	2007-04-21 09:37 UTC	Modified:	2007-04-22 16:45 UTC
From:	c dot heutger at psw dot net	Assigned:
Status:	Closed	Package:	PHP options/info functions
PHP Version:	4.4.6	OS:	irrelevant
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	c dot heutger at psw dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-04-21 09:37 UTC] c dot heutger at psw dot net

Description:
------------
Meanwhile you installed a big warning in PHP installation on register_globals and default them to off, there is no warning at all and it is per default on on url_fopen, although with using of includes, this variable opens any hackers from outside a door inside your applications (e.g. used by opensurveypilot). So we had in the last time many hackins as this variable is on either by default installation or by templates like distributed via SWsofts Virtuozzo or with Plesk. This value should be warned the same and set to off by default like the register_globals.

Reproduce code:
---------------
Try to refer any http:// ressource in e.g. opensurveypilot files using include and url_fopen is on

Expected result:
----------------
Hacked sites if it's like default

url_fopen off by default in future PHP versions

Actual result:
--------------
A big security whole for lame code and programmers still open.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-04-21 10:02 UTC] edink@php.net

This issue was addressed in the latest 5.2.x releases by disallowing using remote files in include statements by default.

[2007-04-22 16:38 UTC] c dot heutger at psw dot net

Perhaps can be added also to new versions of 4.x?

[2007-04-22 16:45 UTC] derick@php.net

No, no new functionality will be added to the PHP 4.4 series - it is in maintenance mode only.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 13:01:30 2024 UTC