From: "David Stoltz" on
allow_url_include is (or should be) disabled by default.

http://us2.php.net/manual/en/filesystem.configuration.php#ini.allow-url-
include

I can't think of one good reason to ever enable this, it would be a
security issue no matter how you slice it...

-----Original Message-----
From: Igor Escobar [mailto:titiolinkin(a)gmail.com]
Sent: Tuesday, June 08, 2010 10:11 AM
To: richgray(a)gmail.com
Cc: <php-general(a)lists.php.net>
Subject: Re: [PHP] Security Issue

Hey Richard,

I'll find more about this parameter allow_url_include, thank you!


Regards,
Igor Escobar
Systems Analyst & Interface Designer

+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)





On Mon, Jun 7, 2010 at 5:26 PM, richard gray <rich(a)richgray.com> wrote:

> On 07/06/2010 20:00, Igor Escobar wrote:
>
>> PHP Injection is the technical name given to a security hole in PHP
>> applications. When this gap there is a hacker can do with an external
code
>> that is interpreted as an inner code as if the code included was more
a
>> part
>> of the script.
>>
>> // my code...
>> // my code...
>> include ('http://..../externalhackscript.txt');
>> //my code...
>> //my code..
>>
> can you not switch off remote file includes in php.ini?
> This will stop include/require from a remote host..
> i.e. /allow_url_include = Off in php.ini
>
> HTH
> Rich
> /
>
From: Michael Shadle on
Yes and scrubbing the input to ensure the field used for this URL
rejects certain characters or does sanity checking on it would also be
another suggestion. Turning this off would fix remote include
requests. But still need to check for people requesting local files.
Should never take user input and put it directly into include or shell
execs or anything.

On Jun 8, 2010, at 11:55 AM, "David Stoltz" <Dstoltz(a)SHH.ORG> wrote:

> allow_url_include is (or should be) disabled by default.
>
> http://us2.php.net/manual/en/filesystem.configuration.php#ini.allow-url-
> include
>
> I can't think of one good reason to ever enable this, it would be a
> security issue no matter how you slice it...
>
> -----Original Message-----
> From: Igor Escobar [mailto:titiolinkin(a)gmail.com]
> Sent: Tuesday, June 08, 2010 10:11 AM
> To: richgray(a)gmail.com
> Cc: <php-general(a)lists.php.net>
> Subject: Re: [PHP] Security Issue
>
> Hey Richard,
>
> I'll find more about this parameter allow_url_include, thank you!
>
>
> Regards,
> Igor Escobar
> Systems Analyst & Interface Designer
>
> + http://blog.igorescobar.com
> + http://www.igorescobar.com
> + @igorescobar (twitter)
>
>
>
>
>
> On Mon, Jun 7, 2010 at 5:26 PM, richard gray <rich(a)richgray.com>
> wrote:
>
>> On 07/06/2010 20:00, Igor Escobar wrote:
>>
>>> PHP Injection is the technical name given to a security hole in PHP
>>> applications. When this gap there is a hacker can do with an
>>> external
> code
>>> that is interpreted as an inner code as if the code included was
>>> more
> a
>>> part
>>> of the script.
>>>
>>> // my code...
>>> // my code...
>>> include ('http://..../externalhackscript.txt');
>>> //my code...
>>> //my code..
>>>
>> can you not switch off remote file includes in php.ini?
>> This will stop include/require from a remote host..
>> i.e. /allow_url_include = Off in php.ini
>>
>> HTH
>> Rich
>> /
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>