[php-maint] Bug#344952: php4: allow_url_fopen = On by default is
insecure and there are bots exploiting this
Chris Niekel
chris at niekel.net
Tue Dec 27 21:30:49 UTC 2005
Package: php4
Version: 4:4.4.0-4
Severity: normal
Hi,
The setting use_url_fopen is On by default, like upstream php4. This allows
code like:
include($p);
where $p is set in the url. This being exploited by people to make you do
include('http://.../bad/script');
Although this is mostly a problem by the php-user, setting this option to
'Off' by default seems a good security trade-off to me. (And yes, my site
was running some strange code, fortunately as www-data).
Regards,
Chris Niekel
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages php4 depends on:
ii libapache-mod-php4 4:4.4.0-4 server-side, HTML-embedded scripti
ii php4-cgi 4:4.4.0-4 server-side, HTML-embedded scripti
ii php4-common 4:4.4.0-4 Common files for packages built fr
php4 recommends no packages.
-- debconf information:
php4/run_apache_sslconfig: true
php4/run_apacheconfig: true
php4/update_apache_php_ini: true
More information about the pkg-php-maint
mailing list