php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #79476 remote file include
Submitted: 2020-04-14 15:28 UTC Modified: 2020-04-16 07:54 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: c0d1M4x at outlook dot com Assigned:
Status: Verified Package: *Configuration Issues
PHP Version: 7.2.29 OS: Linux/Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: c0d1M4x at outlook dot com
New email:
PHP Version: OS:

 

 [2020-04-14 15:28 UTC] c0d1M4x at outlook dot com 
Description:
------------
[php version]

Test version is php 7.2.27(Centos) and php 7.3.x(Windows)

[linux install command]

yum install php72w-common php72w-fpm php72w-opcache php72w-gd php72w-mysqlnd php72w-mbstring php72w-pecl-redis php72w-pecl-memcached php72w-devel -y

[Issus]

The issus config file is "php.ini".

When "allow_url_include" is set to "On", "auto_prepend_file" and  "auto_append_file" can be set to a remote address and can be successfully included and exploited. This may cause the attacker to use this configuration item to use getshell for a long time in the case of a getshell or other vulnerabilities.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-04-15 09:01 UTC] cmb@php.net
-Type: Security +Type: Documentation Problem
 [2020-04-15 09:01 UTC] cmb@php.net 
allow_url_include defaults to Off, and is deprecated as of PHP
7.4.0.  If you enable this setting, you are supposed to know what
you are doing, so this is not a security issue.

I think, though, that this can be documented better.  The security
warning on the include man page[1] isn't as clear is it could be,
and likely a cautionary note should be added to the documentation
of the INI setting[2].  Furthermore, its deprecation has to be
documented.

[1] <https://www.php.net/manual/en/function.include.php>
[2] <https://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include>
 [2020-04-16 07:54 UTC] cmb@php.net
-Status: Open +Status: Verified
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved. 		Last updated: Fri Jun 09 16:03:38 2023 UTC