PHP development - allow_url_fopen
Posted by - NA - on 13 January 2011 09:41 PM
Attention PHP Users and Developers .
In the past month alone we have had at least 20 incidents resulting from allow_url_fopen exploits. These incidents have caused downtime as well as network outages caused by DOS attacks. We feel it to be in the best interest of the vast majority of our clients who do not use allow_url_fopen to disable this function from our PHP core install on all servers.
Effective 16/06/2005 we will be disabling the allow_url_fopen function from the default PHP core functions on all of our servers.
One of the most exploitable PHP functions is fopen. With allow_url_fopen enabled, potential attackers are able to force the PHP parser to execute malicious code. This code can include the execution of shell commands. Execution of malicious shell commands has several security-related ramifications:
1. User's files owned by the httpd user (common with CMS systems) can be changed or deleted.
2. Any file on the local file system can be read.
3. Attackers can download and run other malicious scripts, such as floods, DOS attacks, and remote shells which can cause downtime for everyone.
4. Shell commands can be run against suid binaries in an attempt to gain root access to the server.
>From www.php.net :
"This option enables the URL-aware fopen wrappers that enable accessing URL objects like files (pictures or shell scripts). Default wrappers are provided for the access of remote files using the ftp or http protocol"
"Server admins should disable things... like allow_url_fopen due to extreme security vulnerabilities"