PHP is often blamed for the fact that it may allow URLs to be imported and executed. In fact, this is not surprising because it is one of the most important reasons for the vulnerability of PHP applications called remote URL Include vulnerabilities.
For this reason, many security researchers recommend disabling point Allow_url_fopen in the php.ini configuration. Unfortunately, many people who recommend this approach do not realize that this can destroy many applications and do not guarantee a 100% resolution of the remote URL includes and the insecurity he brings.
Typically, users require PHP to disallow URL inclusion and request declaration support when they are using other file system functions.
For this reason, it is planned to provide allow_url_include in the PHP6. After these discussions, these features were backported in the php5.2.0. Now most of the security researchers have changed their advice, advising people only to ban allow_url_include.
Unfortunately, Allow_url_fopen and allow_url_include are not the cause of the problem. It is still dangerous enough to include local files in an application, because attackers often pass sessiondata, FileUpload, LogFiles,... and other methods to get the PHP code ...
On the other hand allow_url_fopen and allow_url_include only protected the against URL handles marked as a URL. This affects HTTP (s) and FTP (s) but does not affect PHP or date (new in php5.2.0) URLs. These URL forms can be very simple to inject into the PHP code.
Example 1:use Php://input to read the POST data
Insecure Include The following Include statement would Include and execute everything POSTed to the server
Include "Php://input"; ? > |
Example 2:use data:to Include arbitrary code
Insecure Include The following Include statement would Include and execute the Base64 encoded Payload. This is just phpinfo ()
Include "data:;base64,pd9wahagcghwaw5mbygpoz8+"; ? > |
Putting these into our calculations will make it very obvious that neither Url_allow_fopen nor Url_allor_include is guaranteed. These are simply because the filter rarely filters vectors. The way to resolve this URL include vulnerabilities 100% is our suhosin extension.