Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:47870
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain karsites.net from 81.168.74.150 cause and error)
Date: Sun, 11 Apr 2010 17:23:04 +0100 (BST)
To: internals@lists.php.net
Message-ID: <alpine.LFD.2.00.1004111638510.5158@www.karsites.net>
User-Agent: Alpine 2.00 (LFD 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="655616-157359358-1271002984=:5158"
Reply-To: Keith Roberts <keith@karsites.net>
Subject: Making reading files from remote URL's more secure
From: keith@karsites.net (Keith Roberts)

--655616-157359358-1271002984=:5158
Content-Type: TEXT/PLAIN; format=flowed; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE

Hi all.

I've been reading about the security implications of turning=20
allow_url_fopen 'on' for certain PHP applications that need=20
to read files from a remote URL.

To recap, please read this old article about Remote=20
file inclusion vulnerabilities: http://lwn.net/Articles/203904/

I'm just wondering if the ability to read files from a=20
remote URL could be moved into a set of functions dedicated=20
to that purpose alone? Then remove the URL reading ability=20
from the standard file reading functions, to make those more=20
secure?

The new set of remote file reading functions could be=20
prefixed with 'url_'.

This would make it easier to distinguish between the local=20
file reading functions, and those that read from remote=20
URL's.

So the normal fopen() function would only work on files=20
locally, regardless of whether allow_url_open was turned on.

allow_url_open would only enable the file functions=20
with the 'url_' prefix.

setting allow_url_open to 'OFF' would disable those remote=20
file reading functions, prefixed with 'url_'.

To read a file from localhost just use the normal syntax:

<?php
$handle =3D fopen("/home/rasmus/file.txt", "r");
$handle =3D fopen("/home/rasmus/file.gif", "wb");
?>

To read a file from a remote URL use:

<?php
$handle =3D url_fopen("http://www.example.com/", "r", $md5hash);
?>

To write a file to a remote URL use:

<?php
$handle =3D=20
url_fopen("ftp://user:password@example.com/somefile.txt", "w", $md5hash); ?=
>

To make sure that an attacker cannot use url_fopen() in an=20
attack script, these url_ prefixed remote file read/write=20
functions could also take another required parameter, $md5hash.

fopen
(PHP 4, PHP 5)

fopen =E2=80=94 Opens file or URL

Description

fopen (  string $filename, string $mode, $md5hash
  [, bool $use_include_path =3D false [, resource $context ]] )

As in:

<?php
$handle =3D url_fopen("http://www.example.com/", "r", $md5hash);
?>

$md5hash is a value that the 'url_' prefixed remote file=20
reading/writing functions checks before opening the remote=20
URL.

If the $md5hash parmeter does not match what the function=20
expects, then the function fails with an error message, and=20
refuses to open the remote file.

If the $md5hash was stored on the localhost, then the=20
attacker would not have access to it, and the url_ prefixed=20
remote file functions would fail with the error message,=20
"Cannot open remote URL - invalid hash key".

These remote file opening attempts would also appear in the=20
PHP error log, making it easier to spot such security=20
attacks.

Any ideas how the $md5hash KEY could be stored on localhost,=20
so PHP can read it, and then compare that KEY with the value=20
the programmer passes into the url_fopen($file, $mode, $md5hash)=20
function?

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
--655616-157359358-1271002984=:5158--