robbat2 | [gentoo] PHP allow_url_fopen - security problems predicted in July 2003

Recently I've been digging around in the annuls of Gentoo history, working on what will hopefully be the final tree-signing proposal before it actually becomes a full reality. During the midst of this, Stuart came up to me in #gentoo-dev:

<Stuart> robbat2: btw, did you see this week's LWN?
<Stuart> robbat2: the one of using Google Code to find PHP apps that are vulnerable to allow_url_fopen attacks
<Stuart> robbat2: you were right, all those years ago. just wanted to tell you that.

I wasn't the first to come up with the idea, the BSD ports folk were talking about it around the same time we were in mid-July 2003, and I was aware of their discussion, but I believe that Gentoo was the first Linux distribution to make this jump in turning it off. I took a lot of flak at the time for breaking many PHP applications in the name of security, but history has now shown that allow_url_fopen is a very common PHP exploit, and with the advent of Google Code, many sites may now considerably more vulnerable - and all of this could have been mostly avoided a long time ago if PHP had just included a taint mode from the start...

I hadn't read LWN yet, it's only been out a few hours, yet here the article is: "Remote file inclusion vulnerabilities". Stuart also posted a link back into the murky depths of the Gentoo CVS, with a commit I made in July 2003, that turned off allow_url_fopen by default in Gentoo.

S	M	T	W	T	F	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Most Popular Tags

barcampvancouver - 4 uses
bicycle - 3 uses
bugzilla - 3 uses
cacert - 3 uses
computers - 5 uses
conferences - 2 uses
cycling - 2 uses
distfiles - 2 uses
email - 2 uses
fc - 3 uses
fibre channel - 3 uses
fibrechannel - 3 uses
forsale - 2 uses
geek - 6 uses
gentoo - 54 uses
git - 3 uses
gitosis - 2 uses
google - 3 uses
gpg - 2 uses
hard drives - 2 uses
honeymoon - 2 uses
linux - 7 uses
livejournal - 4 uses
meme - 3 uses
mirrors - 5 uses
mysql - 4 uses
networking - 3 uses
ols2008 - 6 uses
open source - 3 uses
pgp - 2 uses
photography - 2 uses
predictions - 2 uses
quiz - 2 uses
releng - 2 uses
rsync - 3 uses
security - 6 uses
server - 2 uses
south africa - 2 uses
spam - 7 uses
statistics - 3 uses
stocks - 2 uses
stolen - 2 uses
storedge - 2 uses
sun - 3 uses
techbc - 4 uses
theft - 2 uses
tips - 2 uses
travel - 3 uses
wedding - 2 uses
wishlist - 2 uses

Flat | Top-Level Comments Only

From: (Anonymous)

For interest, perhaps the earliest significant warning was back in 2001 - http://blackhatnetworks.com/html/bh-asia-01/bh-asia-01-speakers.html#Shaun%20Clowes

The talk became the "Study in Scarlet" - http://www.securereality.com.au/studyinscarlet.txt

Near the end "11. Responsibility - Language Vs Programmer" is worth re-reading.

(5 years later) This is finally going to get solved once and for all with PHP 6 - the splitting of allow_url_fopen and allow_url_include - the latter will control remote code inclusion while the former will be limited to "non-eval" file functions like file_get_contents(), which is the reason many people currently leave this setting switched on, despite the known security risks. Some remarks about this here: http://shiflett.org/archive/242

internetowy katalog stron moderowany katalog stron seo [URL=http://araw.org.pl/internet,i,komputery/moderowany,katalog,stron,s,646/ ]seo katalog stron[/URL] katalog seo internetowy katalog stron moderowany katalog stron moderowany katalog stron internetowych [URL=http://www.aglar.com.pl/internet,i,komputery/moderowany,katalog,stron,www,s,4905/ ]katalog stron[/URL] katalog seo katalog stron przyjazny katalog stron www katalog stron [URL=http://www.katalooog.pl/?action=site&id=738 ]katalog seo[/URL] katalog stron moderowany katalog stron internetowych przyjazny katalog stron www moderowany katalog stron www [URL=http://katalog.lakerspl.info/internet,i,komputery/katalog,seo,s,2974/ ]katalog seo[/URL] przyjazny katalog stron www katalog stron katalog stron seo katalog [URL=http://709.pl/komputer,internet/moderowany,katalog,www,s,2822/ ]moderowany katalog stron internetowych[/URL] internetowy katalog stron moderowany katalog stron internetowy katalog stron moderowany katalog stron seo [URL=http://www.crank.pl/najlepszy-katalog-stron ]moderowany katalog www[/URL] moderowany katalog stron internetowy katalog stron moderowany katalog www internetowy katalog stron [URL=http://www.aglar.com.pl/internet,i,komputery/moderowany,katalog,stron,www,s,4905/ ]seo katalog stron[/URL] seo katalog stron seo katalog stron katalog seo moderowany katalog stron seo [URL=http://www.airstar.pl/internet-i-komputery/dlaczego-warto-zalozyc-katalog-stron/ ]seo katalog[/URL] internetowy katalog stron moderowany katalog stron www katalog stron seo katalog stron [URL=http://www.techniczny.us/internet-i-komputery/moderowany-katalog-stron-seo,wwws,3435/ ]moderowany katalog stron seo[/URL] moderowany katalog stron katalog stron www moderowany katalog www katalog stron [URL=http://www.czarodziejski.pl/internet,and,web/katalog,seo,s,4230/ ]przyjazny katalog stron www[/URL] moderowany katalog www przyjazny katalog stron www moderowany katalog stron www internetowy katalog stron

Move along, nothing to read

A dis-illusioned software engineer

[gentoo] PHP allow_url_fopen - security problems predicted in July 2003

Study in Scarlet

Katalog stron

Profile

May 2017

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags