Well, of course this was never ment to protect you from inside attacks. But if
you also disable eval() then I believe it's pretty much harder to create a
successfull attack via chmod-777-write-exec procedure (from outside).
This patch is ment to prevent accidental DOS attacks by recursive inclusion
(local users) and to in some degree prevent the execution of external code
via GET/POST variable exploit (remote attack).
But though it is not a complete assessment of security risk it is a step
towards right direction - one can apply it and start thinking about better
solution/other risks etc.
regards,
Bostjan
On Wednesday 02 March 2005 20:09, Richard Lynch wrote:
> Bostjan Skufca @ domenca.com wrote:
> > From system security's standpoint:
> >
> > <?php
> > $content = file_get_contents('http://www.domain.net/file.inc');
> > echo $content;
> > ?>
> >
> > is OK, but
> >
> > <?php
> > include('http://www.domain.net/file.inc');
> > ?>
> >
> > is NOT!
> >
> > Nice patch, Tom, will probably use it myself too...
>
> I'll be interested to see if it works in practice...
> [see previous post of mine]
>
> Ya never know.
>
> I still haven't figured out why spam harvesters don't find even the
> simplest obfuscations like %40 and @
>
> But I guess if you come up with a billion fish every time you cast your
> line, you don't worry about buying better bait.
>
> I *suspect* this situation is different, in that you will have people
> actively trying to alter their attacks to bypass this blockage, and it's
> pretty simple to bypass.
>
> But, perhaps, it will turn out to be that there are so many unpatched
> wide-open places they can find that they'll never bother you again.
>
> I sure hope so, for your sake!
>
> --
> Like Music?
> http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
