[Sussex] Getting files from a remote web server in a PHP script

Steve Dobson steve at dobson.org
Mon Oct 24 09:35:49 UTC 2005 

Jon

On Mon, Oct 24, 2005 at 10:14:46AM +0100, Jon Fautley wrote:
> Mark Harrison (Groups) wrote:
> >On Sat, 2005-10-22 at 19:46 +0100, Steve Dobson wrote:
> >>I need to write a little script to fetch HTML files from a remote
> >>web server from within a PHP script.  Now I could use system()
> >>to call wget and do it that way.
> >>
> >>But I was wondering is there a better way (more direct) of getting 
> >>the remote data?
> >
> >
> >fopen supports http as if it were a file system, so you can do stuff
> >like:
> >
> >$myfile = fopen("http://www.remoteserver.com/mydirectory/myfile", "r");
> 
> I may be totally wrong here, but I'll say it anyway.
> 
> This is a security risk unless you are VERY VERY careful in what you do.
> Enabling the allow_url_fopen enables remote file inclusion for most PHP 
> functions that deal with files.

Okay - now you have me worried.

> Imagine, if you will, that Steve is taking the data from a remote 
> server, then processing it and passing that data to a command 
> line/system() call for further processing - if the remote server is 
> compromised then I'm sure you can all see what happens.
> 
> Another, more serious threat, is that you could assist a 
> cross-site-scripting attack. If someone manages to inject arbitary PHP 
> into your scripts (and most of these attacks are done automatically), 
> then it's possible to randomly open remote files, and have that PHP run 
> on your system. This is the most common way of compromising a PHP server.
> 
> I apologise if the above made as much sense as a cow standing on the 
> moon with a pair of cloggs and a fedora on - it's Monday and I'm tired, 
> but I hope you all see what I'm trying to say :)

Okay - so now you are are cow wearing a hat :-)
Somewhere in there you lost me.  I was up late last night watching 
baseball, and I'm not fully awake yet.  Jon, when you're up to explaining
yourself better and I'm up to listen better can you go into more detail?

Ta
Steve
-- 
You are going to have a new love affair.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20051024/d85e9687/attachment.pgp

More information about the Sussex mailing list