Results 1 to 8 of 8
-
04-28-2005, 07:09 PM #1Web Hosting Master
- Join Date
- Nov 2003
- Location
- Canada
- Posts
- 881
Blocking external includes in php?
Hi all,
I was just wondering if its possible to prevent phpscripts from including offsite material. So anything like "/home/myname/file.txt" would work but "http://somesite.com/somefile.txt" would not.
-
04-28-2005, 07:19 PM #2Junior Guru Wannabe
- Join Date
- Mar 2005
- Location
- India
- Posts
- 68
You can disable the following in php.ini for that
allow_url_fopen = off
-
04-28-2005, 07:23 PM #3Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
That wont work with include(), you can use hardenedphp however that will not work with zend.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-28-2005, 08:39 PM #4Junior Guru Wannabe
- Join Date
- Mar 2005
- Location
- India
- Posts
- 68
Originally posted by sojish
You can disable the following in php.ini for that
allow_url_fopen = off
When I tried it once .. it worked for me . Any access of a url through include() gave Failed opening 'URL' error message.
-
04-28-2005, 08:40 PM #5Web Hosting Evangelist
- Join Date
- Dec 2002
- Posts
- 508
Originally posted by thelinuxguy
That wont work with include(), you can use hardenedphp however that will not work with zend.Matt Wade
Christian Web Hosting
http://codewalkers.com/ - Home of the PHP Coding Contest
http://phphosts.codewalkers.com/ - Directory of PHP Web Hosts. Free Listing.
-
04-28-2005, 08:55 PM #6Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
oh my mistake, i was thinking a different directive.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-29-2005, 12:48 AM #7Newbie
- Join Date
- Apr 2005
- Location
- Russia/ Tomsk
- Posts
- 7
it is possible to block outgoing connection from apache's UID
allowing only connections from apache to
localhost:25 - for sending mails
localhost:3306 - connect to mysql
localhost:143 - connect to imap
and so on...
details depend on your firewall version
-
04-29-2005, 12:53 AM #8Newbie
- Join Date
- Apr 2005
- Location
- Russia/ Tomsk
- Posts
- 7
for axample for iptables it looks like:
iptables -A OUTPUT -m owner --uid-owner apache -j apache-server
iptables -A apache-server -p tcp -m tcp --sport 80 -j ACCEPT
iptables -A apache-server -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A apache-server -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A apache-server -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A apache-server -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A apache-server -p udp -m udp --dport 53 -j ACCEPT
iptables -A apache-server -p tcp -j REJECT --reject-with icmp-port-unreachable
iptables -A apache-server -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A apache-server -j DROP