Re: Mambo, Coppermine and PHPBB Attacks

[Yasuo Ohgaki <yohgaki () ohgaki net>]

Paul Laudanski wrote:
> On Tue, 20 Dec 2005, Tofik Suleymanov wrote:
>
>
> > From php.ini
> > "Whether to allow the treatment of URLs (like http:// or ftp://) as files."
> >
> > In latest versions of php this option is set to secure mode of operation 
> > by default (as far as i know):
> > allow_url_fopen = Off
> > This option prevents such type of attacks.

It's great if this failsafe feature works as expected.
Nobody can guarantee newbie php programmer make such hole in an app.

> Just so that we can set the record straight I checked the manual at 
> php.net.
>
> Reference: http://us2.php.net/filesystem
>
> allow_url_fopen by default is set to On.

Even if allow_url_fopen=off, anyone can inject any code with POST and php://input
if app has such include/require bug.

This hole is opened when php:// type is supported by php stream. Since then,
allow_url_fopen=off cannot be used as failsafe feature to disable remote code
execution. This hole seems to be keep opened.

Besides, someone made allow_url_fopen php.ini setting from INI_ALL to INI_SYSTEM.
(i.e. only system level php.ini can change the setting) Some features such as
simplexml require allow_url_fopen=on.

These changes made allow_url_fopen=off useless.

-- 
Yasuo Ohgaki