Preservation of system state considered harmful

Rick Moen rick@linuxmafia.com
Fri, 4 Feb 2005 15:07:47 -0800 

[Sorry about breaking threading.  I'm having to grab quoted text from
the Web archive.]

Nick wrote:

> I'm running testing, and I get little yes/no/diff/etc wotzits all the
> time from dpkg during shabooms.  I just checked now and found that I
> had register_globals still set to On.  I shut it off manually, but I
> never got any prompting from dpkg to install the package maintainer's
> version.

One other thing:  You might also consider switching
/etc/php4/apache/php.ini's allow_url_fopen boolean to "Off".  My
brand-new sarge installation defaulted to "On", which rather strongly
fails to impress me.  

(See http://article.gmane.org/gmane.linux.redhat.fedora.legacy/3281 for
one reason why this is of concern.)


Quoting http://help.tjhsst.edu/articles/fopen.html :

We will be implementing the first of our protections against abuse of
insecure PHP code on our site. Effective March 1st, we will be disabling
the allow_url_fopen PHP config variable. The effect of this is that
files residing on foreign webservers cannot be opened as if they are
files residing on our webserver.

An example of this is the fopen command. The fopen command opens a file
so it can be read from or written to. Normally you would call it like
this:

fopen("fun.txt", "r");

That would open fun.txt on our server. However, prior to disabling
allow_url_fopen, it could also be called like this:

fopen("http://www.foreignwebsite.com/maliciouscode.txt", "r");

Disabling this makes us more secure as malicious code residing on
foreign webservers can't be inserted into an insecure PHP document on
our server. However, there are cases where users actually intend to use
functions to open files on foreign webservers. In that case, by using
this line of PHP code, they can get around the limitation:

ini_set("allow_url_fopen", "1");

Add that ini_set line to the top of any PHP document that needs to use
this special functionality. It only needs to be called once per-document
(it does not need to be called EVERY time you want to use fopen).