Usage and description of allow_url_include in PHP5.2.0

PHP is often blamed because it may promise that URLS will be imported and executed. In fact, this is not surprising, as this is one of the most important reasons for php exploiting program vulnerabilities called RemoteURLIncludevulnerabilities.

PHP is often blamed because it may promise that URLS will be imported and executed. In fact, this is not surprising, as this is one of the most important reasons for php exploiting program vulnerabilities called Remote URL Include vulnerabilities.

For this reason, many security researchers recommend disabling pointing to allow_url_fopen in the php. ini configuration. Unfortunately, many people who recommend this method are not aware of it, which will damage a lot of exploitation and cannot guarantee the solution of remote URL schemdes 100% and its insecurity.

Generally, when users request that they apply other file system functions, php promises to prohibit URL inclusion and request declaration support.

For this reason, we plan to provide allow_url_include in PHP6. After these discussions, these features are backported in php5.2.0. Currently, most security research staff have switched their recommendations to prohibit allow_url_include.

Unfortunately, allow_url_fopen and allow_url_include are not the cause of the title. On the one hand, it is still dangerous to include local files in exploitation. because attackers often obtain php code through sessiondata, fileupload, logfiles,... and other methods .........

Allow_url_fopen and allow_url_include only protect against URL handles from being marked as URL. this affects http (s) and ftp (s), but does not affect php or date (new in php5.2.0) urls. these url situations can be very simple for php code injection.

Example 1: Use php: // input to read the POST data

// Insecure Include
// The following Include statement will
// Include and execute everything POSTed
// To the server
Include 'php: // input ';
?>

Example 2: Use data: to Include arbitrary code

// Insecure Include
// The following Include statement will
// Include and execute the base64 encoded
// Payload. Here this is just phpinfo ()
Include 'data:; base64, PD9waHAgcGhwaW5mbygpOz8 ';
?>

Put these in our operations, we will obviously find that the invention is neither url_allow_fopen nor url_allor_include. These are because the filters seldom filter vectors. The 100% solution to this URL include vulnerabilities is our Suhosin extension.

Address: http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html