!! Attention PHP Users and Developers !!

[admin]

!! Attention PHP Users and Developers !!

In the past month alone we have had at least 20 incidents resulting from allow_url_fopen exploits. These incidents have caused downtime for many clients as well as network outages caused by DOS attacks. We feel it to be in the best interest of the vast majority of our clients who do not use allow_url_fopen to disable this function from our PHP core install.



Effective 06/16/2005 we will be disabling the allow_url_fopen function from the default PHP core functions on all of our webservers.



------------------------------------------------------------------------------------------

One of the most exploitable PHP functions is fopen. With allow_url_fopen enabled, potential attackers are able to force the PHP parser to execute malicious code. This code can include the execution of shell commands. Execution of malicious shell commands has several security-related ramifications:



1. User's files owned by the httpd user (common with CMS systems) can be changed or deleted.

2. Any file on the local file system can be read.

3. Attackers can download and run other malicious scripts, such as floods, DOS attacks, and remote shells which can cause downtime for everyone.

4. Shell commands can be run against suid binaries in an attempt to gain root access to the server.



From www.php.net :

"This option enables the URL-aware fopen wrappers that enable accessing URL objects like files (pictures or shell scripts). Default wrappers are provided for the access of remote files using the ftp or http protocol"

"Server admins should disable things... like allow_url_fopen due to extreme security vulnerabilities"

------------------------------------------------------------------------------------------

[matthewshull]

So how do developer's get around this? This obviously breaks many applications, and for those who use third party products, may not be easy for them to fix.

What are the options here? I for one use a 3rd party shopping cart on a couple of sites that broke when you turned this off the first time.

Thanks.

[Vidvandre]

Thanks for the notice. Although this has next to no impact on the php apps I am running, I greatly appreciate the heads up!

I'm also happy to see your continued devotion at keeping the servers running healthy! With the possible exploits of this function, it clearly isn't suitable to have it open in an environment such as this...

[admin]

I am going to have dean post some other options as work arounds for "custom" coded apps IE curl..

We are also looking in to upgrading to apache 2.x as it would allow php and sites to be run as the user, this will make it much easier to catch these types of things. But we want to take that very slow and be sure it does not break anything or kill our boxes with that bit of extra load on them.

openbase_dir is the other option we are also looking at to also help secure things a bit more. But fopen is the biggest issue with people running there DDOS atacks from our systems because of poor code.

[mdallarosa]

This has been disabled some days ago on unix15. Then we have contacted support and it was enabled for some domains.
Will it be disabled for all domains?

[matthewshull]

What if I have a commercial app (in this case LiteCommerce) that encodes the PHP? I can't edit it.

[Two Roads Media]

Does anyone know of any CSS readers that can parse without the allow_url_fopen??? As far as I can tell, that is the only way to display an RSS or XML feed using PHP. Without it, RSS is useless despite being one of the most popular and quickly growing information sources on the web.

I'm open to suggestions.

[lvanweb]

You cannot be sure about this.
There should be a workaround first.
We should get time to implement this workaround.

I cannot agree with this!!!!!

This means that our shops stop working tonight,
You cannot mean this!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!

We need time first!!!

[lvanweb]

We must be able to open file on other http-locations for reading.
I can agree that you can disable it for writing, but certainly not for reading with fopen.

Let's organise a voting for this.

I would call all resellers to post their opinion and stop Vortech from doing this,
without giving us a nice solution first!

[jpal]

I think that the ability to turn on allow_url_fopen is necessary to use Amazon's AWS service. My guess would be that I am not the only customer that would like to be able to use this! I would like to have an alternative solution.

[admin]

That is the problem with fopen it does not have options for write or read. Even php.net says it should be disabled, we enabled it last week after we disabled it on select sites and the hacking keeps going.

They are running DDOS attacks from our network, hacking peoples sites. None of this would have been an issue is people and dev. coded things right.

This is something that must be done and after 3 DOS atacks just last night taking down a part of our network we must act and fix the issue. We wanted to be able to give this to select people but we tried and it still happen. We can't review every persons code and check it for them.

Also maybe Amazon should read up on php and understand it's very unsecure and a big risk to even allow it. But I am sure they coded there side right.

fopen will be turned off later tonight.

[lvanweb]

Please read my previous posts,
we need a workaround first or we can close our business!!!!!!

I am new to PHP and wonder if anyone can give me an idea of what features this would affect with CMS systems like Mambo or PHP shop?

Thanks

[Dean]

You can gain similar functionality to fopen by using the curl functions. There are all kinds of examples here:

http://us2.php.net/manual/en/ref.curl.php

[admin]

Quote:

Originally Posted by lvanweb

Please read my previous posts,
we need a workaround first or we can close our business!!!!!!

curl is the work around and secure way to do the same thing. It does not allow people to run scripts or delete your files.