[php-maint] Bug#344952: php4: allow_url_fopen = On by default is insecure and there are bots exploiting this

Chris Niekel chris at niekel.net
Tue Dec 27 21:30:49 UTC 2005

Package: php4
Version: 4:4.4.0-4
Severity: normal


The setting use_url_fopen is On by default, like upstream php4. This allows
code like:
where $p is set in the url. This being exploited by people to make you do

Although this is mostly a problem by the php-user, setting this option to
'Off' by default seems a good security trade-off to me.  (And yes, my site
was running some strange code, fortunately as www-data).

Chris Niekel

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages php4 depends on:
ii  libapache-mod-php4            4:4.4.0-4  server-side, HTML-embedded scripti
ii  php4-cgi                      4:4.4.0-4  server-side, HTML-embedded scripti
ii  php4-common                   4:4.4.0-4  Common files for packages built fr

php4 recommends no packages.

-- debconf information:
  php4/run_apache_sslconfig: true
  php4/run_apacheconfig: true
  php4/update_apache_php_ini: true

More information about the pkg-php-maint mailing list