News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

LWN.net:
Remote file inclusion vulnerabilities
October 12, 2006 @ 10:27:00

According to this article from LWN.net, you might need to be a bit wary of how you use the allow_url_fopen configuration parameter on your server. Apparently there are some remote file inclusion issues that could cause problems for calls to include or require already in your code.

An attacker's fondest wish is to be able to run their code on the target system; an RFI exploit does just that. By exploiting two very dubious 'features' of the PHP language, an attacker can inject their code into a PHP program on the server.

Basically, if the potential hacker can manage to get in on a varaible that's inside of an include and use it (in)correctly, they can get the script to jump out and run the code from their server instead of the local copy. Turning off regiter_globals will provide some protection, put poor programming and not performing any input validation can poke holes in the script's security without the need for globals.

Check out the rest of the article for more information on this (potentially) serious issue and check your code/configuration doubly to make sure you're not at risk.

1 comment voice your opinion now!
remote file inclusion vulnerabilities lwn article report remote file inclusion vulnerabilities lwn article report


blog comments powered by Disqus

Similar Posts

Web Development Blog: Tutorial: FTP Upload via cURL

Greg Beaver's Blog: Code Coverage Reporting using PEAR, PEAR2, phar, and sqlite3

SecurityFocus.com: Five common Web application vulnerabilities

Mike Naberezny's Blog: My First php|architect Article (Zend Framework)

Phil Sturgeon: CurlFile and the Facebook SDK in PHP 5.5


Community Events





Don't see your event here?
Let us know!


community podcast release wordpress api list configure framework language application laravel library code bugfix series threedevsandamaybe interview install introduction developer

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework