Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements
Well, of course this was never ment to protect you from inside attacks. But if you also disable eval() then I believe it's pretty much harder to create a successfull attack via chmod-777-write-exec procedure (from outside). This patch is ment to prevent accidental DOS attacks by recursive inclusion (local users) and to in some degree prevent the execution of external code via GET/POST variable exploit (remote attack). But though it is not a complete assessment of security risk it is a step towards right direction - one can apply it and start thinking about better solution/other risks etc. regards, Bostjan On Wednesday 02 March 2005 20:09, Richard Lynch wrote: > Bostjan Skufca @ domenca.com wrote: > > From system security's standpoint: > > > > > $content = file_get_contents('http://www.domain.net/file.inc'); > > echo $content; > > ?> > > > > is OK, but > > > > > include('http://www.domain.net/file.inc'); > > ?> > > > > is NOT! > > > > Nice patch, Tom, will probably use it myself too... > > I'll be interested to see if it works in practice... > [see previous post of mine] > > Ya never know. > > I still haven't figured out why spam harvesters don't find even the > simplest obfuscations like %40 and @ > > But I guess if you come up with a billion fish every time you cast your > line, you don't worry about buying better bait. > > I *suspect* this situation is different, in that you will have people > actively trying to alter their attacks to bypass this blockage, and it's > pretty simple to bypass. > > But, perhaps, it will turn out to be that there are so many unpatched > wide-open places they can find that they'll never bother you again. > > I sure hope so, for your sake! > > -- > Like Music? > http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements
Bostjan Skufca @ domenca.com wrote: > From system security's standpoint: > > $content = file_get_contents('http://www.domain.net/file.inc'); > echo $content; > ?> > > is OK, but > > include('http://www.domain.net/file.inc'); > ?> > > is NOT! > > Nice patch, Tom, will probably use it myself too... I'll be interested to see if it works in practice... [see previous post of mine] Ya never know. I still haven't figured out why spam harvesters don't find even the simplest obfuscations like %40 and @ But I guess if you come up with a billion fish every time you cast your line, you don't worry about buying better bait. I *suspect* this situation is different, in that you will have people actively trying to alter their attacks to bypass this blockage, and it's pretty simple to bypass. But, perhaps, it will turn out to be that there are so many unpatched wide-open places they can find that they'll never bother you again. I sure hope so, for your sake! -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements
From system security's standpoint: http://www.domain.net/file.inc'); echo $content; ?> is OK, but http://www.domain.net/file.inc'); ?> is NOT! Nice patch, Tom, will probably use it myself too... regards, Bostjan On Wednesday 02 March 2005 11:54, Markus Mayer wrote: > Correct me if I'm wrong, but isn't this already available in the standard > PHP? In the php.ini file, you can refuse the inclusion of url's : > allow_url_fopen = Off > > I think also Hardened PHP offers additional similar protections. > > Markus > > On Wednesday 02 March 2005 08:57, Tom Z. Meinlschmidt wrote: > > Hi, > > > > I've experienced a lot of attacks in my hosting server due to silly users > > and their scripts with holes. So I prepared this little patch to 4.3.10, > > which disables using url wrappers in > > include/include_once/require/require_once statemens (switchable in > > php.ini). See readme.security from patch > > > > patch is there: > > > > http://orin.meinlschmidt.org/~znouza/php_patch.txt > > > > comments are welcome > > > > /tom > > > > -- > > = > >== Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer & > > NetCache gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID: > > 66AB6F56 GCS d-(?) s: a- C++ ULHISC*$ P+++> L+++$> E--- W+++$ > > N++(+) !o !K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G > > e>+++ h r+++ z+++@ > > = > >== -- Best regards, Bostjan Skufca system administrator Domenca d.o.o. Phone: +386 4 5835444 Fax: +386 4 5831999 http://www.domenca.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements
Correct me if I'm wrong, but isn't this already available in the standard PHP? In the php.ini file, you can refuse the inclusion of url's : allow_url_fopen = Off I think also Hardened PHP offers additional similar protections. Markus On Wednesday 02 March 2005 08:57, Tom Z. Meinlschmidt wrote: > Hi, > > I've experienced a lot of attacks in my hosting server due to silly users > and their scripts with holes. So I prepared this little patch to 4.3.10, > which disables using url wrappers in > include/include_once/require/require_once statemens (switchable in > php.ini). See readme.security from patch > > patch is there: > > http://orin.meinlschmidt.org/~znouza/php_patch.txt > > comments are welcome > > /tom > > -- > === > Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer & > NetCache gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID: > 66AB6F56 GCS d-(?) s: a- C++ ULHISC*$ P+++> L+++$> E--- W+++$ > N++(+) !o !K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G > e>+++ h r+++ z+++@ > === > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements
Hi, I've experienced a lot of attacks in my hosting server due to silly users and their scripts with holes. So I prepared this little patch to 4.3.10, which disables using url wrappers in include/include_once/require/require_once statemens (switchable in php.ini). See readme.security from patch patch is there: http://orin.meinlschmidt.org/~znouza/php_patch.txt comments are welcome /tom -- === Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer & NetCache gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID: 66AB6F56 GCS d-(?) s: a- C++ ULHISC*$ P+++> L+++$> E--- W+++$ N++(+) !o !K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G e>+++ h r+++ z+++@ === -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php