Can RSS News Flash work avoiding the security risk of allow_url_

Home » Forums » RSS News Flash » Can RSS News Flash work avoiding the security risk of allow_url_
Dec 9th, 2007 at 02:53 AM

j.j. schouten
Registered User
3 posts

RSS News Flash 4.5 needs allow_url_fopen to be activated, but this is not wise to do as it open up a major security risk. See here:
http://phpsec.org/projects/phpsecinfo/t … fopen.html

PHP Security Consortium wrote:
If enabled, allow_url_fopen allows PHP's file functions -- such as file_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.

allow_url_fopen is on by default.

Recommendations

You should disable allow_url_fopen in the php.ini file

I checked with my host and with a server configuration expert and they too strongly advise to keep allow_url_fopen disabled.

It strikes me as odd that I need to enable a function to retrieve data from remote locations, while I only need data from my server. I do not need a feed from anywhere else.

I read here that there are alternative ways to handle this:
http://tutorials.ausweb.com.au/web/Tuto … url_fopen/

AUSWEB Hosting wrote:
Security issues - allow_url_fopen

The PHP option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. For security reasons, AUSWEB has disabled this feature; however, a feature-rich alternative exists in the form of the bundled cURL library

Server-Side Includes

Many developers include files by pointing to a remote URL, even if the file is within the local system. For example:

<?php include("http://example.com/includes/example_include.php"); ?>

With allow_url_fopen disabled, this method will not work. Instead, the file must be included with a local path, and there are three methods of doing this:

1. By using a relative path, such as ../includes/example_include.php.
2. By using an absolute path (also known as relative-from-root), such as /home/username/example.com/includes/example_include.php.
3. By using the PHP environment variable $_SERVER['DOCUMENT_ROOT'], which returns the absolute path to the web root directory. This is by far the best (and most portable) solution. The example that follows shows the environment variable in action:

Processing Differences (and passing variables to an included file)

It is worth mentioning that the alternative solutions presented here will result in a difference in the way the include() function is handled. The alternative solutions all return the PHP code from the included page; however, the now-unavailable remote URL method returns the result from the included page. One result of this behavior is that you cannot pass a querystring using the alternative solutions. You define the variables locally before performing the include:

Example

To achieve the effect of this:

<?php include("http://yourdomain.com/includes/example_include.php?var=example"); ?>

You must instead use this:

<?php
$var = "example";
include($_SERVER['DOCUMENT_ROOT']."/includes/example_include.php");
?>


Example exploitation

If allow_url_fopen is enabled, this system can be exploited by simply changing the value of the variable in the querystring:

http://yourdomain.com/index.php?page=ht … script.txt

So to avoid potential compromisse of our clients websites the PHP variable allow_url_fopen=off is on all our servers now

I am not willing to take this major security risk.
Can you please instruct me how to edit the files, to make the ticker work without allow_url_fopen?

(I did already open up a support ticket, but they said it should be answered here.
Dec 9th, 2007 at 10:56 PM

Scott Swedorski
VP of Product Development
25,042 posts
Online Now

Unfortunately there is no work around for this. The program requires the fopen() function to properly work. Maybe in a future update we will have a work around but I would not be able to provide when such a feature would make it into the program. ~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~
Scott A. Swedorski - VP of Product Development
CoffeeCup Software Inc.
Phone: 678.495.3480

"Want to update your website from anywhere? Check out our new free service, S-Drive Streams. Visit http://www.coffeecup.com/sdrive for more information."
Dec 11th, 2007 at 10:31 AM

j.j. schouten
Registered User
3 posts

Thanks for your response.

This does mean that I can not use your cool program. sad
I will ask for a refun
Dec 26th, 2007 at 12:17 PM

Heidi-Ann Kennedy
Trial User
2 posts

Just to let you know, another very large host "I Power" has now globally disabled "allow_url_fopen"
as many others are following this recommendation...
Time for a rewrite on this program or at least give a CURL code to replace in the php file.
Dec 27th, 2007 at 01:13 PM

Heidi-Ann Kennedy
Trial User
2 posts

I have to retract my previous assessment. With further research , have come to the conclusion the the flaw is not in "allow_url_fopen" rather the way a hosts platform / configuration in the way they handle the script. In my opinion "allow_url_fopen" is at the moment safe and best method for handling the RSS News Flash program. After discussion with host I-Power they too realize this, and is the reason for disabling "allow_url_fopen" at the moment as they change platforms, and plan on enabling "allow_url_fopen" when platforms change is completed. With this insight knowing the host them self are aware it is their end that creates the flaw, one can again and should have realized that CC would not have put out or used flawed scripting in their products.
Sincerely,
Heidi-Ann Kennedy
Scientific Frontline

But still that other issue, still bewilders me... (private matter)
Dec 28th, 2007 at 03:26 PM

Adam R.
Senior Advisor
3,116 posts

Good to hear. Had me doing some Googling myself. http://www.flashstrap.com
http://www.lodipc.com
Apr 16th, 2008 at 03:29 PM

Jeff
Registered User
48 posts

Just found this post...

It seems that more and more hosting providers are turning OFF "allow_url_fopen" for security. And since RSS reader requires it to be on, here's hoping a rewrite of the RSS program could be done!

Thanks,
Jeff Digital Artist
http://www.jeffkolkerart.com
Jul 31st, 2009 at 05:23 PM

Noel
Trial User
8 posts

Yes..a Security Hole for those using RSS News Flash with rss.php script

Aug 5th, 2009 at 10:03 AM

James Little
Registered User
24 posts

My host will also not allow me to turn allow_url_fopen on for security reasons. I've been searching the forums for a solution but it appears that there isn't one. The posts actually go back a fair way so this is obviously an issue that has been around for a while. Although, as stated on another thread, CC make it clear that PHP is required for this app to work, it isn't actually the case. It needs specific PHP variables flagged a certain way and it seems increasingly that hosts will not allow this. Without wishing to sound churlish, if many users are having this issue for the length of time that the forum posts would suggest then it should probably be fixed.

Here's hoping.

Have something to add? We’d love to hear it!
You must have an account to participate. Please Sign In Here, then join the conversation.

Have we met?

Please sign in to your account or create an account to join the conversation.