Comments on: Unexpected Security Problem with PHP URL fopen Wrapper

By: Priyadi

Priyadi — Wed, 22 Mar 2006 02:56:21 +0000

#15:

1. hard to say, it depends a lot on what on the PHP code. even with url like http://example.com/foo.php?page=bar.php it is possible to do it securely with proper sanitation

2. can’t tell. but if you are aware that you are using fopen wrappers, it is less likely to have security hole. the security hole exists mainly because people are not aware the function like include() or require() can execute data from external URL.

3. here

By: Ziben

Ziben — Wed, 22 Mar 2006 01:52:21 +0000

Priyadi said: “Then, the URL will look like http://example.com/foo.php?page=bar.php.”

so, let say we have the URL like http://example.com/foo.php?page=1

the question are:

1. is it still HUGE security hole with the URL above?

2. is it any solution for this? if we use fsocketopen instead of fopen, is it more secure?

3. how to create the script to show
Using Opera 6.32 on SonyEricsson P910?
could you share this with us?

thanks!

By: Priyadi

Priyadi — Tue, 27 Sep 2005 23:50:01 +0000

#12: default on karena default php on. tapi kayanya perlu juga dipertimbangkan untuk dimatikan secara default

By: rob

rob — Tue, 27 Sep 2005 15:29:13 +0000

Try Snoopy if you’re looking for a solution to the “not all hosts have allow_url_fopen turned on” problem; it’s a sockets-based HTTP library coded entirely in PHP, and makes it very easy to send HTTP requests.

By: Erwin Kodiat

Erwin Kodiat — Tue, 27 Sep 2005 14:34:11 +0000

Mas Pri, kalo di IDG by default setting URL fopen Wrapper nya on atau off?

By: Ben

Ben — Mon, 26 Sep 2005 17:19:47 +0000

oh.. kira-kira begini toh masalahnya… thanks

By: john

john — Mon, 26 Sep 2005 05:51:11 +0000

#9: jangan include file yang remote (berada di tempat lain, di luar situs ybs)

.. eh, bener kan?

By: Jauhari

Jauhari — Mon, 26 Sep 2005 01:04:28 +0000

artinya apa to?

security gimana?
Jadi make include, require ndak aman gitu?

BASA INGGRIS = 0

By: iang

iang — Sun, 25 Sep 2005 17:49:56 +0000

#7: gak lengkap kalo gak ada SSH

By: didats

didats — Sun, 25 Sep 2005 15:46:28 +0000

hehehe…
didats ga dapet akses ssh…
semua udah diatur.. semoga aja mereka udah melakukannya..

By: Priyadi

Priyadi — Sun, 25 Sep 2005 15:28:12 +0000

#4: karena sepertinya sekarang ini orang2 jahat sudah punya spider untuk mencari URL yang berpola seperti ini. pasang situs yang punya URL seperti itu, dan tunggu 1-2 minggu, kemungkinan besar sudah ada yang ngerjain

#5: kalau url.fopen_wrappers off harusnya gak masalah. tapi sebaiknya sih scriptnya yang dibenerin. require() juga sama masalahnya.

By: Belutz

Belutz — Sun, 25 Sep 2005 14:39:37 +0000

Jadi solusi nya apa mas pri? kalo url.fopen_wrappers di off masih bisa pake include ("filename.ext"); kan? karena ini memanggil file local bukan file yg menggunakan url? cmiiw
apakah ini juga pengaruh dengan syntax require(); ?