Posted by Markus Mayer on 03/02/05 12:54

Correct me if I'm wrong, but isn't this already available in the standard PHP?
In the php.ini file, you can refuse the inclusion of url's :
allow_url_fopen = Off

I think also Hardened PHP offers additional similar protections.

Markus

On Wednesday 02 March 2005 08:57, Tom Z. Meinlschmidt wrote:
> Hi,
>
> I've experienced a lot of attacks in my hosting server due to silly users
> and their scripts with holes. So I prepared this little patch to 4.3.10,
> which disables using url wrappers in
> include/include_once/require/require_once statemens (switchable in
> php.ini). See readme.security from patch
>
> patch is there:
>
> http://orin.meinlschmidt.org/~znouza/php_patch.txt
>
> comments are welcome
>
> /tom
>
> --
> ===========================================================================
>==== Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer &
> NetCache gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID:
> 66AB6F56 GCS d-(?) s: a- C++ ULHISC*++++$ P+++>++++ L+++$>++++ E--- W+++$
> N++(+) !o !K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G
> e>+++ h---- r+++ z+++@
> ===========================================================================
>====

• Next in thread: Re: [PHP] Re: patch to php 4.3.10 to disabling URL wrappers in include like statements
• Prev in thread: patch to php 4.3.10 to disabling URL wrappers in include like statements
• Next in forum: sql query
• Prev in forum: Download with header() - file corrupted
• Thread view: patch to php 4.3.10 to disabling URL wrappers in include like statements

[Reply to this message]