[Sussex] Getting files from a remote web server in a PHP script

[Mark Harrison (Groups)]

On Mon, 2005-10-24 at 10:14 +0100, Jon Fautley wrote:
> 
> I may be totally wrong here, but I'll say it anyway.

No, you're right in the technical aspects of what you say.

However, what I don't see is how getting remote files any other way
helps! If there's the possibility of injecting PHP to be executed by
Steve's server, then that PHP equally can run a "system ... wget" setup,
to get at some remote nasties. The fundamental threat, AIUI, lies with
the fact that this is running on a server that can get at remote files
AT ALL, not particularly with turning on that setting.

I agree that the automated attack nature of this kind of thing means
that code injection is likely to work off an fopen, though.

Like all these "security threats", though, the vast, vast majority of
attacks occur not because of poorly-written custom code, but because
someone is running an off-the-shelf package, without keeping up to date
with the latest patches.

I could understand the concern if Steve were looking, say, at bunging up
Mambo and adding a content module, but the impression I got was that
Steve was going to be writing his own code.


Let me ask the question another way though - have you got a better way
for Steve to do the remote file access?

M.