Jump to content

remote file inclusion

orange08

By orange08
in PHP Coding Help

 Share

Recommended Posts

orange08 Regular Member

orange08

Posted
Posted

from the php security written by daniel, i read about this

 

There are a couple of php.ini directives you can use to prevent this:

 

    * allow_url_fopen this directive is set to on by default and it controls whether remote files should be includable.

    * allow_url_include this directive is set to off by default and was introduced in PHP 5.2. It controls whether the include(), require(), include_once() and require_once() should be able to include remote files. In versions below PHP 5.2 this was also controlled by allow_url_fopen. Furthermore, if allow_url_fopen is set to off then this directive will be ignored and set to off as well.

 

so, is that i just need to set in my .htaccess

php_flag allow_url_fopen off
php_flag allow_url_include off

 

this is all i need to do to handle this security issue?

Link to comment
https://forums.phpfreaks.com/topic/163377-remote-file-inclusion/
Share on other sites
flyhoney Member

flyhoney

Posted
Posted
for sure want to disallow remote file inclusion, for security purpose...

 

Yes, you probably do.  If it is on and you do not want it on, you are correct, setting it in the .htaccess file is a way to turn it off.  If you want to check and make sure it is turned off, you can place <?php phpinfo() ?> in a test.php file and look at it in your browser.  This will show you how PHP is configured and you can confirm that the settings in the .htaccess file are being applied correctly.

orange08 Regular Member

orange08

Posted
  • Author
Posted

for sure want to disallow remote file inclusion, for security purpose...

 

Yes, you probably do.  If it is on and you do not want it on, you are correct, setting it in the .htaccess file is a way to turn it off.  If you want to check and make sure it is turned off, you can place <?php phpinfo() ?> in a test.php file and look at it in your browser.  This will show you how PHP is configured and you can confirm that the settings in the .htaccess file are being applied correctly.

 

so, to disallow remote file inclusion, require to set them as 'off', right? because the passage didn't mention about this...

 

so, my question is just to do these setting enough to prevent this attack or not? i did read

 

http://www.phpfreaks.com/tutorial/preventing-remote-file-include-attacks-with-mod-rewrite

 

but, not too understand about it...

so, if my setting is enough to handle, then i can skip this part...

 

thanks!

  • 2 months later...
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Depending on php version, those two settings can only be set in PHP_INI_SYSTEM, meaning the master php.ini.

 

There is no substitution for validating external data and you cannot rely that any php setting has any particular value or that you will be able to set it on any particular server (your web host can for example prevent you from changing any php settings in a .htaccess file or a local php.ini.) If you are using an external value in an include/require statement, you MUST validate that it only contains expected values.

orange08 Regular Member

orange08

Posted
  • Author
Posted

Depending on php version, those two settings can only be set in PHP_INI_SYSTEM, meaning the master php.ini.

 

There is no substitution for validating external data and you cannot rely that any php setting has any particular value or that you will be able to set it on any particular server (your web host can for example prevent you from changing any php settings in a .htaccess file or a local php.ini.) If you are using an external value in an include/require statement, you MUST validate that it only contains expected values.

 

ok.

 

as a newbie, i have another question here...

when i execute <?php phpinfo() ?> and check my phpinfo()...

 

i found there are two columns for each directive, which are local value and master value...

 

can i know what's the different between both?

if i set those directives in my .htaccess, both of the columns must get the value i set or only the local value column get the effect?

 

thanks!

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The Master values are set in PHP_INI_SYSTEM (master php.ini or httpd.conf.) The Local values are set by any permitted PHP_INI_PERDIR or PHP_INI_USER settings. The Local values are what are used in a script.

 

Mode                      Meaning

PHP_INI_USER          Entry can be set in user scripts (like with ini_set()) or in the Windows registry 

PHP_INI_PERDIR      Entry can be set in php.ini, .htaccess or httpd.conf

PHP_INI_SYSTEM      Entry can be set in php.ini or httpd.conf

PHP_INI_ALL            Entry can be set anywhere

 

orange08 Regular Member

orange08

Posted
  • Author
Posted

The Master values are set in PHP_INI_SYSTEM (master php.ini or httpd.conf.) The Local values are set by any permitted PHP_INI_PERDIR or PHP_INI_USER settings. The Local values are what are used in a script.

 

Mode                      Meaning

PHP_INI_USER          Entry can be set in user scripts (like with ini_set()) or in the Windows registry 

PHP_INI_PERDIR      Entry can be set in php.ini, .htaccess or httpd.conf

PHP_INI_SYSTEM      Entry can be set in php.ini or httpd.conf

PHP_INI_ALL            Entry can be set anywhere

 

please forgive my ignorant, allow me to confirm again...

 

so, my setting in .htaccess will only affect the value in the column of local value, but won't affect the master value, right?

 

thanks again!

orange08 Regular Member

orange08

Posted
  • Author
Posted

The Master values are set in PHP_INI_SYSTEM (master php.ini or httpd.conf.) The Local values are set by any permitted PHP_INI_PERDIR or PHP_INI_USER settings. The Local values are what are used in a script.

 

Mode                      Meaning

PHP_INI_USER          Entry can be set in user scripts (like with ini_set()) or in the Windows registry 

PHP_INI_PERDIR      Entry can be set in php.ini, .htaccess or httpd.conf

PHP_INI_SYSTEM      Entry can be set in php.ini or httpd.conf

PHP_INI_ALL            Entry can be set anywhere

 

please forgive my ignorant, allow me to confirm again...

 

so, my setting in .htaccess will only affect the value in the column of local value, but won't affect the master value, right?

 

thanks again!

 

is that i'm wrong?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.