Are PHP 5 security settings useless?

Posted: Sun Feb 22, 2009 2:01 pm

PHP 5 has two php.ini options to secure the server:

allow_url_fopen
allow_url_include

If they are set to "off" functions like fopen(), include() and getimgsize() don't work.
Error is: "URL file-access is disabled in the server configuration"

After investigation it seems the options work on the http stream wrapper so i've use the new function stream_wrapper_unregister() to remove the wrapper and build my own.

So i did and after a real "WTF" it worked and i bypassed the security settings!

I discovered this back in 2006 and posted it on this website and codenewbie.com after releasing it in my cvs for the CMS.

After successful reports i implemented it in Dragonfly CMS last week.

Now that the "hack" is really out in the open i reported it: http://bugs.php.net/bug.php?id=47444

However, someone marked it as "bogus" for the fact that those ini options are only there for "block drive-by abuse"

If so, why the hell does every host start to turn "off" those ini settings because "someone said so" without knowing you can override the setting?

What is your opinion?

P.S. I don't want to hear "you should write good code" since there are many that don't because they can't (yet).

registered · Posted: Sun Feb 22, 2009 3:56 pm

Yea PHP seems to have too many ways to bypass such "security" features. Too many little things to worry about, hard to lockdown... and most hosts are lazy anyway.