|
|
Kapitel 19. Zugriff auf entfernte Dateien
Wenn die Unterst�tzung f�r den "URL fopen wrapper" bei der
Konfiguration von PHP vorhanden ist (welche standardm��ig eingestellt ist, es sei denn,
die Option --disable-url-fopen-wrapper wurde bei der Installation verwendet (Versionen
bis 4.0.3) oder der Parameter allow_url_fopen in der php.ini
deaktiviert wurde (neuere Versionen),
k�nnen HTTP und FTP URLs bei den meisten Funktionen verwendet werden, die einen
Dateinamen als Parameter ben�tigen, inklusive require()
und include() Anweisungen.
Anmerkung:
remote files funktionieren nicht mit include() und
require() Anweisungen unter Windows.
Beispielsweise kann eine Datei auf einem anderen Webserver ge�ffnet und verarbeitet werden.
Diese Daten k�nnen zur Abfrage einer Datenbank benutzt werden oder passend zum Rest der eigenen
Website ausgegeben werden.
Beispiel 19-1. Den Titel einer entfernten Seite auslesen <?php
$file = fopen ("http://www.example.com/", "r");
if (!$file) {
echo "<p>Datei konnte nicht ge�ffnet werden.\n";
exit;
}
while (!feof ($file)) {
$line = fgets ($file, 1024);
/* Funktioniert nur, wenn Titel und title-Tags in einer Zeile stehen */
if (eregi ("<title>(.*)</title>", $line, $out)) {
$title = $out[1];
break;
}
}
fclose($file);
?> |
|
Auch eine Datei auf einem FTP-Server kann geschrieben werden, solange man sich �ber
einen Benutzer mit entsprechenden Zugriffsrechten verbindet und die Datei noch nicht existiert.
Um sich mit einem anderen Benutzer als 'anonymous' zu verbinden mu� ein
username (und m�glichst ein Passwort) innerhalb der URL angegeben werden, wie z.B.
'ftp://user:[email protected]/pfad/zur/datei'. (Die selbe Syntax
kann verwendet werden, um auf Daten via HTTP zuzugreifen, wenn diese eine Basic
Authentication ben�tigen.)
Beispiel 19-2. Daten auf einen entfernten Server speichern <?php
$file = fopen ("ftp://ftp.example.com/incoming/outputfile", "w");
if (!$file) {
echo "<p>Datei konnte zum schreiben nicht ge�ffnet werden.\n";
exit;
}
/* Schreibe die Daten hier hin. */
fputs ($file, "$HTTP_USER_AGENT\n");
fclose ($file);
?> |
|
Anmerkung:
Obiges Beispiel k�nnte dazu verleiten, dieses Verfahren zu benutzen, um in ein 'remote log-file'
zu schreiben. Wie oben erw�hnt kann man jedoch ausschlie�lich neue Dateien anlegen,
wenn man URL fopen() wrapper benutzt. F�r 'distributed logging' sollte man sich die Funktion
syslog() anschauen.
User Contributed Notes Zugriff auf entfernte Dateien |
|
greg at b-sphere dot com
25-Apr-2000 09:21 |
|
To use images and links in an included or required web page on a remote
server, the calls in the remote files probably must use a fully qualified
URL (). Don't know
how universal this is, but it's been the case with several servers so far,
and no exceptions found. Since the URLs on the remote page are probably
using relative addressing, some added coordination is probably called for
in most collaboration projects, where one site is serving content to be
required or included on other sites.
|
|
php!at!sturmgewehr.de
25-Feb-2002 02:42 |
|
Be careful when you use something like index.php?showpage=news.php and
include() that $showpage file. If a malicious user would call your
script as index.php?showpage= it
would include that script and run it in *your* script's scope. That means
it can read all files and variables your webserver has access to! Use
file_exists() (which only works on local files) or check for 'tp:' in the
filename prior to inclusion.
|
|
jt at gno dot de
27-Feb-2002 12:24 |
|
Greg: I had your problem, too, and I simply solved it by defining a
<base href> tag in the script's HTML header. This points all
relative links and image sources of the included page to the defined
URL. E.g. you run your script on yourhost.com and you include a site
from php.net then you would define <base href=">
Of
course you have to make your own references in the script global!
|
|
christer at frostmo dot com
04-Apr-2002 03:21 |
|
The easiest solution to this security risk is, in my oppinion, to add a
host string in front of the url specified in the url
adress.
example:
<html> <head><title>php.net</title></head> <body>
<?php include("); ?>
</body> </html>
yup
=) It's impossible to include() an page from another
server.
Regards,
Christer
Frostmo Norway www.frostmo.com
|
|
toby at butzon dot com
19-Apr-2002 12:15 |
|
It's important to understand that remote files included/required into your
script are NOT run on your server (as previous posts have suggested).
Think about it this way: When I do this:
<?php
include(');
?>
..I'm actually asking PHP to make a separate HTTP request
(just as your Web browser would) to www.example.com. So, point your
browser to that location. Do you see any PHP code? No. You will only see
HTML/text content.
(On the off chance that .php wasn't associated
with the PHP module/binary, the code would only be displayed. Thus, you
would have to TRY to make a dangerous include scenario -- such as
eval()'ing a remoted included file specified by the
user.)
Therefore, although this code may be vulnerable to an
"untrustworthy information" attack (where the information
displayed by your Web site isn't actually information you endorse, even
though the information is ultimately transferred from your Web server),
you are NOT vulnerable to malicious access to your Web server resources,
even if visitors can specify any remote server/file that they please.
|
|
klaus at netlibrary dot de
02-May-2002 04:08 |
|
In my experience, I cannot agree with Toby. Scripts can indeed be run
through remotely included files. All that needs to be done is put the PHP
script into an HTML or other file that is not parsed by the remote
server.
This theoretically enables a malicious scripter to attack
using a series of steps. For example, a simple .htm file with the
content
<?php echo phpinfo(); ?>
will give quite
a bit of information about the local system and possibly will give enough
information to wreak havoc in the server's file system. If you would like
to try this out, create an 'includetest.php' in a protected directory on
your server with the content
<?php include
$inc; ?>
Pass the file to be included as
'includetest.php?inc= The
page is on one of my less used servers and can be accessed with any
browser to show that it is simply the phpinfo() command I described
above.
I have tested this on 3 servers, all running PHP < 4.2.0,
and unless this was fixed in the latest release, it still works.
|
|
php at jerde dot net
06-May-2002 09:22 |
|
You must be VERY careful if you allow a variable to control the URL of an
include()ed file.
A previous poster suggested: include(");
This,
however, won't work in all cases. For example, set the variable to
"@www.evil-site.dom/evil-code.phps"
Your carefully
constructed pre-URL is now sent merely as a username to the attacker's web
site.
Stripping out "@" and ":" would be a good
idea, and THEN you'd probably be safe.
- Peter
Jerde Minneapolis, Minnesota, USA
|
|
joachim_php dot net at schirrmachers dot de
05-Jul-2002 03:19 |
|
It seems that it isn't possible to replace the standard browser signature
sent in an fopen(') call with another
value, i.e. the current value of $HTTP_USER_AGENT
|
|
elfyn at exposure dot org dot uk
18-Aug-2002 04:48 |
|
What toby said is pretty on the line. Same with klaus. But if your going to
do something that silly like allowing a third-party to include files into
your php script you should atleast 1) re the file contents to see if it
contains php tags or 2) use a function in 'String functions' strip_tags to
remove any php, although if you use this with the default settings it
would remove html.
|
|
vlad at vkelman dot com
09-Nov-2002 08:37 |
|
There is a good news for klaus at netlibrary dot de and others: PHP 4.2.3.
DOES block include('some_html_file'). It doesn't matter if this file has
actual PHP inside or not: include() doesn't work. You can use fopen() or
readfile(), but this means, the content won't be executed and therefore no
more vulnerability exists.
|
|
ohlesbeauxjours at yahoo dot fr
03-Dec-2002 03:43 |
|
In reply to Vlad who mentionned a problem with PHP version 4.2.3
: require " ...
worked fine for me. But note that I had to ask my web host supplier to
configure its proxy server so that the IP for
"www.somewhere.org" can be accepted for http
requests. Otherwise, if you don't desactivate that security mechanism
on the web server, you won't see any warning or error messages when you
execute your script, but only a "blocked" page, stopped at the
instruction "require(")"
|
|
buht at mail dot ru
10-Dec-2002 10:16 |
|
I`ve read all that You say and try to do next two simple files. First
file make include throught Web: <?php include('); ?>
Second
File (test.php) make output as html, but result is the new php
script: <? echo "<?\$ip=getenv('REMOTE_HOST');echo
\"IP=\$ip;\";?>"; ?>
That work perfectly
without searching of server that does not support of php scripts but allow
to store php files on it. Extention is also not important. So that is
more secure to reject using of including through Web. But know somebody
any other possibility to include a document as it from another URL using
php?
|
|
robro at compsoc dot nuigalway dot ie dot nospam
14-Jan-2003 01:37 |
|
The easiest way I'd see around the security hold mentioned above would be
to turn off allow_url_fopen, using ini_set.
If that is not
acceptable you can simply str_replace out the :// part that seperates the
protocol from the address.
include( str_replace("://",
"", $whatever) );
should do the trick.
|
|
|
| |