Welcome to WebmasterWorld Guest from 54.167.29.212

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Allow url and security risks.

     

PowerUp

8:08 am on Oct 30, 2008 (gmt 0)

5+ Year Member



Hi, I added a php banner script to my webpage.

At first, the banner doesn't show. The banner only show up when my host enabled "Allow_url". I was told it was disabled by default due to security issues. I'd like to know what kind of security risks I face by enabling "allow_url".

Thank you.

Sekka

9:55 am on Oct 30, 2008 (gmt 0)

10+ Year Member



"allow_url" means that a PHP file can be included into your script from an external website.

Because you have no control over this external content, someone could swap the file on the external website for some malicious code and use it to damage your website, spread malware, almost anything!

I would side with your hosting company and agree that this should not be turned on. I would find another way to include this code into your website. If it is just HTML you're including, use file_get_contents() [uk2.php.net].

PowerUp

8:04 pm on Oct 30, 2008 (gmt 0)

5+ Year Member



"allow_url" means that a PHP file can be included into your script from an external website.

Because you have no control over this external content, someone could swap the file on the external website for some malicious code and use it to damage your website, spread malware, almost anything!

I would side with your hosting company and agree that this should not be turned on. I would find another way to include this code into your website. If it is just HTML you're including, use file_get_contents().

Do you mean ANYBODY could swap my files, or just specified people (like my advertisers) could swap the files. In my file, there's a PHP banner script. The script has specified which domain to fetch the ads from.

Sekka

8:49 am on Oct 31, 2008 (gmt 0)

10+ Year Member



Whom ever has access to the file you are calling in could swap the file. But then again, someone could compromise that server to gain access to yours via this hole.

Basically, allow_url is a no no unless you really really need it.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month