Application and explanation of allow_url_include_PHP tutorial

PHP is often criticized for allowing URLs to be imported and statements executed. In fact, this thing is not that surprising because it is one of the most important causes of PHP application vulnerabilities called Remote URL Include vulnerabilities.

For this reason, many security researchers recommend disabling pointing to allow_url_fopen in the php.ini configuration. Unfortunately, many people who recommend this approach do not realize that it will break many applications and is not a 100% guarantee against remote URL includes and the insecurities they bring.

Frequently, users request that PHP allow disabling URL inclusion and request declaration support when they use other file system functions.

For this reason, allow_url_include is planned to be available in PHP6. Following these discussions, these features were backported in php5.2.0. Now most security researchers have changed their advice and only advise people to disable allow_url_include.

Unfortunately, allow_url_fopen and allow_url_include are not the cause of the problem. On the one hand, including local files in an application is still dangerous enough, because attackers often obtain PHP code through sessiondata, fileupload, logfiles,...

On the other hand allow_url_fopen and allow_url_include only protect against URL handles marked as URLs. This affects http(s) and ftp(s) but does not affect php or date (new in php5.2.0) urls. These url forms , you can perform php code injection very simply.

Example 1: Use php://input to read the POST data

＜?php

＜?php
// Insecure Include
// The following Include statement will
// include and execute everything POSTed
// to the server

include "php://input";
?＞

// Insecure Include // The following Include statement will

// include and execute everything POSTed

// to the server

＜?php
// Insecure Include
// The following Include statement will
// include and execute the base64 encoded
// payload. Here this is just phpinfo()

include "data:;base64,PD9waHAgcGhwaW5mbygpOz8+";
?＞

include "php://input"; ?＞

Example 2: Use data: to Include arbitrary code

＜?php

// Insecure Include // The following Include statement will // include and execute the base64 encoded // payload. Here this is just phpinfo() include "data:;base64,PD9waHAgcGhwaW5mbygpOz8+"; ?＞

Putting this into our calculations will make it very obvious that neither url_allow_fopen nor url_allor_include is guaranteed. These are just because filters rarely filter vectors. The 100% solution to this URL include vulnerabilities is our Suhosin extension. http://www.bkjia.com/PHPjc/371468.htmlwww.bkjia.com

truehttp: //www.bkjia.com/PHPjc/371468.htmlTechArticlePHP is often criticized because it may allow URLs to be imported and statements executed. In fact, this thing is not very surprising, because this is called Remote URL Include vuln...