Application and explanation of php allow_url_include

For this reason, many security researchers recommend disabling pointing to allow_url_fopen in the php. ini configuration. Unfortunately, many people who recommend this method do not realize that this will destroy many applications and cannot guarantee that 100% can solve remote URL Federation des and the security caused by it.

Generally, users require php to allow URL inclusion and request Declaration support when they use other file system functions.

For this reason, allow_url_include is planned to be provided in PHP6. After these discussions, these features are backported in php5.2.0. Now most security researchers have changed their recommendations and only recommended that allow_url_include be disabled.

Unfortunately, allow_url_fopen and allow_url_include are not the cause of the problem. On the one hand, it is still dangerous to include local files in an application because attackers often obtain php code through sessiondata, fileupload, logfiles,... and other methods .........

Allow_url_fopen and allow_url_include only protect against URL handles from being marked as URL. this affects http (s) and ftp (s), but does not affect php or date (new in php5.2.0) urls. these url forms can be very simple for php code injection.

Example 1: Use php: // input to read the POST data

<? Php // Insecure Include // The following Include statement will // Include and execute everything POSTed // To the server Include "php: // input "; ?>

Example 2: Use data: to Include arbitrary code

<? Php // Insecure Include // The following Include statement will // Include and execute the base64 encoded // Payload. Here this is just phpinfo () Include "data:; base64, PD9waHAgcGhwaW5mbygpOz8 + "; ?>

Put these into our operations, we will obviously find that neither url_allow_fopen nor url_allor_include is guaranteed. These are because the filters seldom filter vectors. The 100% solution to this URL include vulnerabilities is our Suhosin extension.