ID: 25461 Updated by: [EMAIL PROTECTED] Reported By: ashley at netcraft dot com dot au -Status: Open +Status: Bogus Bug Type: Feature/Change Request Operating System: Linux PHP Version: 4.3.3 New Comment:
Search php.ini-dist (or php.ini-recommended) for "allow_url_fopen" directive. Previous Comments: ------------------------------------------------------------------------ [2003-09-09 19:48:43] ashley at netcraft dot com dot au Description: ------------ I think it's highly insecure that 'include' and 'require' support http:// url's by default. Why would you want to execute arbitrary code from another web page? I have seen many sites where they are exploitable because they do require $page. ".php"; Although this is bad programming, it's still insecure to allow http url's by default. Also, I'd strongly suggest never using http includes unless you control the DNS for the domain of the site you are connecting to. Otherwide the hostname could be changed over to a different page. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=25461&edit=1
