| Harry dot Boeck at t-online dot de 2006-06-24, 8:03 am |
| From: Harry dot Boeck at t-online dot de
Operating system: all
PHP version: Irrelevant
PHP Bug Type: Documentation problem
Bug description: allow_url_fopen documentation incomplete
Description:
------------
allow_url_fopen is incompletely documented concerning effects on file
handling:
This option allows usage of arbitrary files NOT only for file function,
but for every file handling including "include"/"require", circumventing
"include_path" and "doc_root".
This effectively enables the entire internet to execute whatever they want
in the php space on this server. This is a huge security risk.
This is, however, only effective, when some possibility to manipulate any
of the mentioned file operations is already present in the php code (for
example, an argument replacement as "include $somefile").
This in turn is commonly seen not only in open source projects but also
for example in dreamwaver productions.
I have found reports dating from 2004 on the internet, where the risk is
completely documented - but not in the php documentation, where it should
be.
Reproduce code:
---------------
not applying
Expected result:
----------------
There should be a complete description of the vulnaribility at least
either in the configuration file or in the documentation.
Actual result:
--------------
The documentation refers only to the "file system functions" in general
resp. to the "fopen"-function particularly.
Concerning "require", there is only a hint, that inclusion of files was
not possible even with "allow_url_fopen" enabled in earlier versions of
php.
--
Edit bug report at http://bugs.php.net/?id=37874&edit=1
--
Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=37874&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=37874&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=37874&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=37874&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=37874&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=37874&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=37874&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=37874&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=37874&r=support
Expected behavior: http://bugs.php.net/fix.php?id=37874&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=37874&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=37874&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=37874&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=37874&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=37874&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=37874&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=37874&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=37874&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=37874&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=37874&r=mysqlcfg
|