Hi all.

I've been reading about the security implications of turning allow_url_fopen 'on' for certain PHP applications that need to read files from a remote URL.

To recap, please read this old article about Remote file inclusion vulnerabilities: http://lwn.net/Articles/203904/

I'm just wondering if the ability to read files from a remote URL could be moved into a set of functions dedicated to that purpose alone? Then remove the URL reading ability from the standard file reading functions, to make those more secure?

The new set of remote file reading functions could be prefixed with 'url_'.

This would make it easier to distinguish between the local file reading functions, and those that read from remote URL's.

So the normal fopen() function would only work on files locally, regardless of whether allow_url_open was turned on.

allow_url_open would only enable the file functions with the 'url_' prefix.

setting allow_url_open to 'OFF' would disable those remote file reading functions, prefixed with 'url_'.

To read a file from localhost just use the normal syntax:

<?php
$handle = fopen("/home/rasmus/file.txt", "r");
$handle = fopen("/home/rasmus/file.gif", "wb");
?>

To read a file from a remote URL use:

<?php
$handle = url_fopen("http://www.example.com/";, "r", $md5hash);
?>

To write a file to a remote URL use:

<?php
$handle = url_fopen("ftp://user:passw...@example.com/somefile.txt";, "w", $md5hash); ?>

To make sure that an attacker cannot use url_fopen() in an attack script, these url_ prefixed remote file read/write functions could also take another required parameter, $md5hash.

fopen
(PHP 4, PHP 5)

fopen — Opens file or URL

Description

fopen (  string $filename, string $mode, $md5hash
 [, bool $use_include_path = false [, resource $context ]] )

As in:

<?php
$handle = url_fopen("http://www.example.com/";, "r", $md5hash);
?>

$md5hash is a value that the 'url_' prefixed remote file reading/writing functions checks before opening the remote URL.

If the $md5hash parmeter does not match what the function expects, then the function fails with an error message, and refuses to open the remote file.

If the $md5hash was stored on the localhost, then the attacker would not have access to it, and the url_ prefixed remote file functions would fail with the error message, "Cannot open remote URL - invalid hash key".

These remote file opening attempts would also appear in the PHP error log, making it easier to spot such security attacks.

Any ideas how the $md5hash KEY could be stored on localhost, so PHP can read it, and then compare that KEY with the value the programmer passes into the url_fopen($file, $mode, $md5hash) function?

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to