Well, it looks like the overall consensus is that we add this
restriction, so let's add in it. It seems I am the only one somewhat
against it...
On 5-Nov-06, at 10:19 PM, Stanislav Malyshev wrote:
I guess it is a question of frequency, as a rule a valid use of
require/include on a URL is quite unusual. From my experience, I
do not believe the same could be said about smb.
How many apps really need to import includes from foreighn systems
which aren't mounted as drive letters? I don't think anybody does
(or should) build an applications like that.
This is a valid point, but at the same time we need to consider
the consequences marking of smb:// as url will have on PHP
applications and weather this is something to be done in a patch
level release.
Sure, we need to consider that - I think that's exactly what we are
doing now :) My assessment would be people usually don't do that
purposefully, but you and everybody on the list are welcome to give
examples to the contrary of course.
Exploitation wise all of the hacks I've seen for remote code
execution were based on http as that provides the best degree of
anonymity for a
SMB can be as anonymous as HTTP. The reason why HTTP is used more
because you can easily buy HTTP hosting solution and SMB hosting
would probably cost more, and because HTTP is much more known and
easy to set up right to the script kiddies of all kinds. But once
people figure out something can be hacked through SMB means, they
would write a script to do it and script kiddies would do it as
easily as anything. Once writing an exploit was are that few could
master, now there are ready-made rootkits for any vulerability out
there for anybody to use.
Use of SMB requires a more tricky infrastructure in a form of an
open smb share, usually meaning an exploited win32 box that
accepts incoming smb connections.
"Pwned" windows boxes are not unheard of, to say the least. :) And
any unix can do smb as good as windows, thanks to samba team ;)
A firewall rule can be used to block outgoing smb connections
quite easily on both linux and windows.
Yes, sure - though standard config does not block that AFAIK and
the whole point of allow_url_include is to protect such configs as
far as I understand.
--
Stanislav Malyshev, Zend Products Engineer
[EMAIL PROTECTED] http://www.zend.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Ilia Alshanetsky
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
