Hi,
I have a number requests from customers who want the allow url_fopen function is activated.
Do you think the risk is minimal by activating (url_include remain disabled)?
Thank you for sharing your opinions and experience.
Allow url_fopen
-
- Forum User
- Posts: 86
- Joined: Wed Oct 03, 2012 2:51 pm
- Location: Algiers
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Allow url_fopen
Its fairly risky function to allow, basically lets PHP allow URLs as files. This is one of the older ways of hacking PHP applications via a remote file include attack. Do you know what web applications they are using that require this?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Forum User
- Posts: 86
- Joined: Wed Oct 03, 2012 2:51 pm
- Location: Algiers
Re: Allow url_fopen
Hello Mike,
The most recent case is that of a client that uses a component for wordpress (http://codecanyon.net/item/woocommerce- ... r/10959830)
This client is not hosted by me since this afternoon (no great loss, considering safety).
In the past, I had client in joomla who also requested that this feature be permitted.
The most recent case is that of a client that uses a component for wordpress (http://codecanyon.net/item/woocommerce- ... r/10959830)
This client is not hosted by me since this afternoon (no great loss, considering safety).
In the past, I had client in joomla who also requested that this feature be permitted.
Re: Allow url_fopen
I've had a few clients that want url_fopen and I normally refuse.
I will make exceptions if I feel the risk is worth it though. But not very often.
I will make exceptions if I feel the risk is worth it though. But not very often.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Allow url_fopen
Allowing url_fopen is very unsafe. More so because it is usually used by poorly written scripts. Using the cURL functions is a fine alternative.
There really is no sane reason to keep allow_url_fopen enabled.
There really is no sane reason to keep allow_url_fopen enabled.
Lemonbit Internet Dedicated Server Management