ID: 25461
User updated by: ashley at netcraft dot com dot au
Reported By: ashley at netcraft dot com dot au
-Status: Bogus
+Status: Closed
Bug Type: Feature/Change Request
Operating System: Linux
PHP Version: 4.3.3
New Comment:

No point in this. I know it's in the config file. I know it's in the
manual. I still see it as insecure and there should be a security

Previous Comments:

[2003-09-10 03:05:19] [email][/email]

from php.ini:

; Whether to allow the treatment of URLs (like http:// or [url]ftp://)[/url] as

From the manual:

allow_url_fopen = On
allow_url_fopen boolean
This option enables the URL-aware fopen wrappers that enable accessing
URL object like files. Default wrappers are provided for the access of
remote files using the ftp or http protocol, some extensions like zlib
may register additional wrappers.


[2003-09-09 21:17:27] ashley at netcraft dot com dot au

I know there's an option for it, but it should come with a warning that
it also enables url's on include/require.


[2003-09-09 21:02:31] [email][/email]

Search php.ini-dist (or php.ini-recommended) for "allow_url_fopen"


[2003-09-09 19:48:43] ashley at netcraft dot com dot au

I think it's highly insecure that 'include' and 'require' support
http:// url's by default. Why would you want to execute arbitrary code
from another web page? I have seen many sites where they are
exploitable because they do

require $page. ".php";

Although this is bad programming, it's still insecure to allow http
url's by default. Also, I'd strongly suggest never using http includes
unless you control the DNS for the domain of the site you are
connecting to. Otherwide the hostname could be changed over to a
different page.


Edit this bug report at [url][/url]