From: ashley at netcraft dot com dot au Operating system: Linux PHP version: 4.3.3 PHP Bug Type: Feature/Change Request Bug description: include insecurity
Description: ------------ I think it's highly insecure that 'include' and 'require' support http:// url's by default. Why would you want to execute arbitrary code from another web page? I have seen many sites where they are exploitable because they do require $page. ".php"; Although this is bad programming, it's still insecure to allow http url's by default. Also, I'd strongly suggest never using http includes unless you control the DNS for the domain of the site you are connecting to. Otherwide the hostname could be changed over to a different page. -- Edit bug report at http://bugs.php.net/?id=25461&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=25461&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=25461&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=25461&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=25461&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=25461&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=25461&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=25461&r=support Expected behavior: http://bugs.php.net/fix.php?id=25461&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=25461&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=25461&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=25461&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25461&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=25461&r=dst IIS Stability: http://bugs.php.net/fix.php?id=25461&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=25461&r=gnused
