WebApp Sec mailing list archives

Re: Mambo, Coppermine and PHPBB Attacks

From: Paul Laudanski <zx () castlecops com>
Date: Tue, 20 Dec 2005 17:15:43 -0500 (EST)

On Tue, 20 Dec 2005, Tofik Suleymanov wrote:

 From php.ini
"Whether to allow the treatment of URLs (like http:// or ftp://) as files."

In latest versions of php this option is set to secure mode of operation 
by default (as far as i know):
allow_url_fopen = Off
This option prevents such type of attacks.


Just so that we can set the record straight I checked the manual at 
php.net.

Reference: http://us2.php.net/filesystem

allow_url_fopen by default is set to On.

-- 
Paul Laudanski, Microsoft MVP Windows-Security
[cal] http://events.castlecops.com
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com

Current thread:

Mambo, Coppermine and PHPBB Attacks Mark Ryan del Moral Talabis (Dec 18)
- RE: Mambo, Coppermine and PHPBB Attacks John Cobb (Dec 19)
- Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 20)
  - Re: Mambo, Coppermine and PHPBB Attacks Tofik Suleymanov (Dec 20)
    - Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 21)
    - Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 24)
    - Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 24)
    - Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 25)
    - Re: Mambo, Coppermine and PHPBB Attacks Paul Laudanski (Dec 25)
    - Re: Mambo, Coppermine and PHPBB Attacks Yasuo Ohgaki (Dec 29)
    - Re: Mambo, Coppermine and PHPBB Attacks ascii (Dec 29)
    - Re: Mambo, Coppermine and PHPBB Attacks Andrew van der Stock (Dec 29)
    - Re: Mambo, Coppermine and PHPBB Attacks Jack Tennessee (Dec 22)