homepage Welcome to WebmasterWorld Guest from 54.161.155.142
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Allow url and security risks.
PowerUp




msg:3776495
 8:08 am on Oct 30, 2008 (gmt 0)

Hi, I added a php banner script to my webpage.

At first, the banner doesn't show. The banner only show up when my host enabled "Allow_url". I was told it was disabled by default due to security issues. I'd like to know what kind of security risks I face by enabling "allow_url".

Thank you.

 

Sekka




msg:3776555
 9:55 am on Oct 30, 2008 (gmt 0)

"allow_url" means that a PHP file can be included into your script from an external website.

Because you have no control over this external content, someone could swap the file on the external website for some malicious code and use it to damage your website, spread malware, almost anything!

I would side with your hosting company and agree that this should not be turned on. I would find another way to include this code into your website. If it is just HTML you're including, use file_get_contents() [uk2.php.net].

PowerUp




msg:3777041
 8:04 pm on Oct 30, 2008 (gmt 0)

"allow_url" means that a PHP file can be included into your script from an external website.

Because you have no control over this external content, someone could swap the file on the external website for some malicious code and use it to damage your website, spread malware, almost anything!

I would side with your hosting company and agree that this should not be turned on. I would find another way to include this code into your website. If it is just HTML you're including, use file_get_contents().

Do you mean ANYBODY could swap my files, or just specified people (like my advertisers) could swap the files. In my file, there's a PHP banner script. The script has specified which domain to fetch the ads from.

Sekka




msg:3777325
 8:49 am on Oct 31, 2008 (gmt 0)

Whom ever has access to the file you are calling in could swap the file. But then again, someone could compromise that server to gain access to yours via this hole.

Basically, allow_url is a no no unless you really really need it.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved