ID #1296

Why is the url_fopen function disabled?

This function has been disabled for security reasons. Therefore files from external sites can't be imported. Local inclusions are however possible as usual. Alternatively you can use the fsockopen() function. Information regarding this subject can be found in the PHP Manual.


Further Hints on the abovementioned function:

Due to weak spots an attacker can paste random script code into affected PHP scripts. The attacker needs an own web server to provide the code that is pasted into the PHP scripts.

According to announcements IRC bots have been installed on compromised systems, by which the systems are remote controlled and used as Warez FTP server or for executing DDoS attacks.

Web servers are affected if in the configuration php.ini the option

"allow_url_fopen = on"

is set and - in addition - a PHP script can be called up that loads code dynamically in an insecure way.

For Example:

if (!isset($realm))
include "home.template";
include $realm ;

The abovementioned option causes that calls of the function fopen() are executed via an URL wrapper. That means instead of a path in the local file system an URL can be specified on a remote web server. In this case the include instruction integrates the script code that is returned by the remote web server to the URL after the HTTP request.

An Attacker can use this class of weak spots through a specially constructed HTTP Get request containing an URL pointing to a web server controlled by the attacker.

For the abovementioned reasons the option "allow_url_fopen" is disabled on our servers.

Tags: allow_furl_open, fsockopen, url_fopen

Related entries:

You cannot comment on this entry