Difference between revisions of "Vuln php allow url fopen"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "= Allow URL Fopen is enabled = PHP includes a setting, allow_url_fopen, that allows PHP's file functions such as file_get_contents(), include, require statements and others t...")
 
m
 
Line 1: Line 1:
 
= Allow URL Fopen is enabled =
 
= Allow URL Fopen is enabled =
  
PHP includes a setting, allow_url_fopen, that allows PHP's file functions such as file_get_contents(), include, require statements and others to retrieve data from remote locations, like an FTP servers and web sites. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.  allow_url_fopen is on by default in PHP.
+
PHP includes a setting, allow_url_fopen, that allows PHP's file functions such as file_get_contents(), include, require statements and others to retrieve data, in real time, from remote locations, such as FTP servers and web sites. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.  allow_url_fopen is on by default in PHP.
  
 
This vulnerability means that allow_url_fopen is still set to On.  We highly recommend you set this to off.
 
This vulnerability means that allow_url_fopen is still set to On.  We highly recommend you set this to off.

Latest revision as of 23:04, 8 December 2012

[edit] Allow URL Fopen is enabled

PHP includes a setting, allow_url_fopen, that allows PHP's file functions such as file_get_contents(), include, require statements and others to retrieve data, in real time, from remote locations, such as FTP servers and web sites. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. allow_url_fopen is on by default in PHP.

This vulnerability means that allow_url_fopen is still set to On. We highly recommend you set this to off.

[edit] Next Steps

Step 1: Log into the ASL GUI, click on Configuration and select the ASL configuration menu option. This will open the ASL configuration screen.

Step 2: Scroll down to PHP_CHECKS and make sure this is set to "yes". By default ASL will only warn about PHP vulnerabilities. If you set this to yes, it will also fix these vulnerabilities. If this is set to "no" the next step will not work, so set this to "yes".

Step 3: Scroll down to PHP_URL_FOPEN and set this to "no".

Step 4: Click the "update" button.

This will resolve this vulnerability.

Personal tools