Results 1 to 8 of 8
  1. #1
    Join Date
    Nov 2003
    Location
    Canada
    Posts
    881

    Blocking external includes in php?

    Hi all,

    I was just wondering if its possible to prevent phpscripts from including offsite material. So anything like "/home/myname/file.txt" would work but "http://somesite.com/somefile.txt" would not.

  2. #2
    Join Date
    Mar 2005
    Location
    India
    Posts
    68
    You can disable the following in php.ini for that

    allow_url_fopen = off
    Whats wrong in an innocent cup of tea ?
    -----
    Bobcares.com

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    That wont work with include(), you can use hardenedphp however that will not work with zend.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #4
    Join Date
    Mar 2005
    Location
    India
    Posts
    68
    Originally posted by sojish
    You can disable the following in php.ini for that

    allow_url_fopen = off
    You sure about that,buddy ?
    When I tried it once .. it worked for me . Any access of a url through include() gave Failed opening 'URL' error message.
    Whats wrong in an innocent cup of tea ?
    -----
    Bobcares.com

  5. #5
    Originally posted by thelinuxguy
    That wont work with include(), you can use hardenedphp however that will not work with zend.
    Yes, allow_url_fopen does work with include.
    Matt Wade
    Christian Web Hosting
    http://codewalkers.com/ - Home of the PHP Coding Contest
    http://phphosts.codewalkers.com/ - Directory of PHP Web Hosts. Free Listing.

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    oh my mistake, i was thinking a different directive.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    Apr 2005
    Location
    Russia/ Tomsk
    Posts
    7
    it is possible to block outgoing connection from apache's UID
    allowing only connections from apache to
    localhost:25 - for sending mails
    localhost:3306 - connect to mysql
    localhost:143 - connect to imap
    and so on...

    details depend on your firewall version

  8. #8
    Join Date
    Apr 2005
    Location
    Russia/ Tomsk
    Posts
    7
    for axample for iptables it looks like:

    iptables -A OUTPUT -m owner --uid-owner apache -j apache-server
    iptables -A apache-server -p tcp -m tcp --sport 80 -j ACCEPT
    iptables -A apache-server -p tcp -m tcp --sport 443 -j ACCEPT
    iptables -A apache-server -p tcp -m tcp --dport 25 -j ACCEPT
    iptables -A apache-server -p tcp -m tcp --dport 3306 -j ACCEPT
    iptables -A apache-server -p tcp -m tcp --dport 143 -j ACCEPT
    iptables -A apache-server -p udp -m udp --dport 53 -j ACCEPT
    iptables -A apache-server -p tcp -j REJECT --reject-with icmp-port-unreachable
    iptables -A apache-server -p udp -j REJECT --reject-with icmp-port-unreachable
    iptables -A apache-server -j DROP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •