Page 1 of 1
Allow url_fopen
Posted: Thu Sep 10, 2015 7:54 am
by copernic2006
Hi,
I have a number requests from customers who want the allow url_fopen function is activated.
Do you think the risk is minimal by activating (url_include remain disabled)?
Thank you for sharing your opinions and experience.
Re: Allow url_fopen
Posted: Thu Sep 10, 2015 1:50 pm
by mikeshinn
Its fairly risky function to allow, basically lets PHP allow URLs as files. This is one of the older ways of hacking PHP applications via a remote file include attack. Do you know what web applications they are using that require this?
Re: Allow url_fopen
Posted: Thu Sep 10, 2015 1:58 pm
by copernic2006
Hello Mike,
The most recent case is that of a client that uses a component for wordpress (
http://codecanyon.net/item/woocommerce- ... r/10959830)
This client is not hosted by me since this afternoon (no great loss, considering safety).
In the past, I had client in joomla who also requested that this feature be permitted.
Re: Allow url_fopen
Posted: Fri Sep 11, 2015 5:56 am
by faris
I've had a few clients that want url_fopen and I normally refuse.
I will make exceptions if I feel the risk is worth it though. But not very often.
Re: Allow url_fopen
Posted: Fri Sep 11, 2015 6:04 am
by prupert
Allowing url_fopen is very unsafe. More so because it is usually used by poorly written scripts. Using the cURL functions is a fine alternative.
There really is no sane reason to keep allow_url_fopen enabled.