For this reason, many security researchers recommend disabling point Allow_url_fopen in the php.ini configuration. Unfortunately, many people who recommend this approach do not realize that this can disrupt many applications and do not guarantee a 100% resolution of the remote URL includes and the insecurity he brings.
Typically, users require that PHP disallow URL inclusion and request declaration support when they use other file system functions.
For this reason, the plan is to provide allow_url_include in PHP6. After these discussions, these features are backported in php5.2.0. Now, most security researchers have changed their advice, suggesting that people ban allow_url_include.
Unfortunately, Allow_url_fopen and allow_url_include are not the cause of the problem. On the one hand, it is still dangerous enough to include local files in the application because attackers often pass sessiondata, FileUpload, LogFiles,... and other ways to get PHP code ...
On the other hand allow_url_fopen and allow_url_include just protected the against URL handles tag as a URL. This affects HTTP (s) and FTP (s) but does not affect PHP or date (new in php5.2.0) URLs, these URL forms, can be very simple PHP code injection.
Example 1:use Php://input to read the POST data
Insecure Include The following Include statement would Include and execute everything POSTed to the server
Include "Php://input"; ? > |
Example 2:use data:to Include arbitrary code
Insecure Include The following Include statement would Include and execute the Base64 encoded Payload. Here is just phpinfo ()
Include "data:;base64,pd9wahagcghwaw5mbygpoz8+"; ? > |
Putting these into our calculations will be very evident in the discovery that neither Url_allow_fopen nor Url_allor_include is guaranteed. These are only because filters rarely filter vectors. The way to resolve this URL include vulnerabilities is our suhosin extension. 100%
http://www.bkjia.com/PHPjc/321717.html www.bkjia.com true http://www.bkjia.com/PHPjc/321717.html techarticle for this reason, many security researchers recommend disabling point Allow_url_fopen in the php.ini configuration. Unfortunately, many people who recommend this approach do not realize that this will ruin ...