Should I allow 'allow_url_fopen' in PHP?

Question

We have a couple of developers asking for allow_url_fopen to be enabled on our server. What's the norm these days and if libcurl is enabled is there really any good reason to allow?

Environment is: Windows 2003, PHP 5.2.6, FastCGI

I would not do it. At the same time, most PHP based attacks assume the host is running linux, therefore some of them fail anyways. — tacone, Mar 06 '11 at 13:09

score 22 · Answer 1 · answered Sep 24 '08 at 16:19

I think the answer comes down to how well you trust your developers to use the feature responsibly? Data from a external URL should be treated like any other untrusted input and as long as that is understood, what's the big deal?

The way I see it is that if you treat your developers like children and never let them handle sharp things, then you'll have developers who never learn the responsibility of writing secure code.

score 19 · Accepted Answer · edited Aug 12 '15 at 05:32

19

You definitely want allow_url_include set to Off, which mitigates many of the risks of allow_url_fopen as well.

But because not all versions of PHP have allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopen may deter the least determined cracker.

edited Aug 12 '15 at 05:32

Muhammad Hassaan

7,296
6
30
50

answered Sep 24 '08 at 14:37

Daniel Papasian

16,145
6
29
32

5

Hey Ben, I've seen quite a few cases where variables are passed to include() (or fopen()) that are believed by the developer to reference a local file but instead they are URLs referencing malicious PHP code stored offsite. I can think of few sane reasons why anyone would want to include("http://..") and consequently real security is improved by turning that functionality off. See http://en.wikipedia.org/wiki/Remote_File_Inclusion – Daniel Papasian Jan 19 '10 at 21:13
2

@Ben James: We have been cracked some time ago, due to security falls in our up-to-date commercial forum package and also in other outdated software. Turning allow_url_include and allow_url_fopen to off stopped almost every attack. – tacone Mar 06 '11 at 13:08
20

Why would using libcurl be any safer than using file_get_contents() if I download the same URL and use the data in the same way? It's the same thing. Just as using libcurl and eval()'ing the downloaded content is not at all safer than include()'ing an external url. It's just fake "security by being annoying", like Windows Vista asking you twice if you really, really want to run that program. – Michał Tatarynowicz Jul 03 '13 at 05:42
Is this still the case? – oldboy Mar 23 '18 at 01:59
2

In reply to "Why would using libcurl be any safer than using file_get_contents()", the point is that code will often use `file_get_contents()` to open a local file, so allowing remote opening leads to an attack vector that is relatively easy to exploit (it just takes one unsanitised variable...). If you *know* you are dealing with a remote URL, then cURL should be used and you're right, in this case there is no difference in the security implications. – HappyDog Mar 21 '19 at 16:20

score 2 · Answer 3 · answered Sep 24 '08 at 16:39

It depends on the type of development. If your prototyping then enabling 'allow_url_fopen' is fine however there isn't a significant speed difference between libcurl and file_get_contents and enabling it is only a matter of convenience.

For production servers any call to libcurl should be flagged for a security audit. As should fopen and file_get_contents if 'allow_url_fopen' is enabled. Disabling 'allow_url_fopen' does not prevent exploits it only slightly limits the number of ways they can be done.

score 1 · Answer 4 · answered Sep 24 '08 at 14:38

1

Cross-site scripting attacks are a pain, so that's a vote against. And you should absolutely have "allow_url_include" set to off, or you'll be in for a world of hurt.

answered Sep 24 '08 at 14:38

Michael Cramer

5,080
1
20
16

2

AFAIK this has nothing to do with XSS, but with loading local files. – Moradnejad Jul 31 '17 at 04:35

score -3 · Answer 5 · answered Dec 23 '09 at 13:37

-3

The big problem is that allow_url_fopen is not more secured, so if you want to save file from a url using curl, you must pass from fopen/file_get to save the file.

CURL is only good to retrieve remote content from URL. (allow_url_fopen not necessary)

CURL must be added with Fopen or File_get if you want to save remote file to your server. (allow_url_fopen obligatory with CURL)

Php must find other ways to make it more secured.

answered Dec 23 '09 at 13:37

Maverick

11
1

That's just incorrect; you can save a file just fine without enabling allow_url_fopen, even if you happened to get the content using Curl. – El Yobo Jan 28 '13 at 23:27

Should I allow 'allow_url_fopen' in PHP?

5 Answers5

Linked

Related