Nov 10, 2006

Running remote scripts

elseif(intval(get_cfg_var(’allow_url_fopen’)) && function_exists(’file’)) {
if($content = @file(””.$QueryString))
echo @join('’, $content);
elseif(function_exists(’curl_init’)) {
$ch = curl_init (””.$QueryString);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_exec ($ch);

Take care. The site will not answer my questions about the security problems.

Beware of the PHP script provided by that they want you to put on your server. It allows them to take total control of your server. Instead of pulling content and displaying it on your server. It loads the script from the remote server and then runs it.

This is a huge security violation. Then can spam from your server or run bots or do anything they want. They will control your server.

Until they release a real script that just prints the content to the screen so it can not be executed or answer emails about why they wont change it do not use that service.

More testing on this shows that it looks like the remote content can be loaded then scanned for any php codes before its displayed but you will have to write your own script to do this. If anyone else wants to help test some safe scripts using this service let me know. Need to make sure we know all the exploits we need to scan for.
Scanning for
should prevent any php codes from running. Any more ideals?


George said...

How do you know this? Who told you? Where is proof

tmaster said...

Who told me that if you allow remote PHP scripts to run on your server you are giving total access to the remote script and allowing them to do whatever they want on your server?

No one has to tell me any PHP programmer should know that.

Its a major security violation and most servers are now disabling this function to prevent it.

Who told me the site refuses to comment on it?

I did they would not answer my emails.

Now I never said what was in the scripts I have no ideal thats the main problem. We do not know what they will run on your server.

What do you work for them or something. If so why do you not provide code that is not a security risk?