Tell a Friend About Our Cool Software
CoffeeCup RSS News Flash Help Center
Is allow_url_fopen insecure?
The purpose of CoffeeCup RSS News Flash is to "Add your own news to your Website or news from Yahoo, CNN, and CNET using Flash." So the question is: how exactly are we supposed to retrieve news from external sources?
A few answers naturally present themselves:
- We could allow the users to manually retrieve the data, though that would be a bit to ask and pretty inefficient.
- We could require our users to have some sort of third-party software or php module, though that would exclude a significant portion of our user-base.
- We could allow the users to utilize a base php function to retrieve the remote data. This would be desirable as it would be available cross-platform to anyone who has PHP installed.
Naturally, we chose the latter. It is available in all supported PHP distributions and it is enabled by default.
But what does this choice mean for you? Does it mean that your website will suddenly be vulnerably to attacks if you use our software?
Well, no. I think what you will find is that using our software doesn't inherently open you up to any security risks. In fact, the advice that you will find on the PHP Security Consortiums website regarding the allow_url_fopen configuration is advice geared towards server administrators rather than website developers. The idea is that if you are going to be allowing other developers to use your server, you should not keep allow_url_fopen enabled as some programmers may use it in careless ways.
So, like everything else in life, I think this is really more of a decision of weighing your options rather than a decision of right or wrong. While it is true that disabling allow_url_fopen will prevent careless programmers from exposing your to security risks, it will also prevent you from retrieving external data without some sort of third-party product. I think the best solution for you, as a website develop, would be to enable allow_url_fopen and just not be careless. If you are going to be retrieving data from external source, make sure they are trusted sources. Obviously, Yahoo!, CNN, and CNET are safe sources. It is very unlikely that one of these sources is going to try to exploit your system.
If you want to be extra safe, you can actually disable allow_url_fopen by default and just enable it for your CoffeeCUp RSS News Flash script. Some options for adding this sort of functionality can be found here: http://us.php.net/manual/en/configuration.changes.php .
I think the bottom line is that our program has no inherent security flaws. Rather, it allows a careless person to open your website up to certain security risks. This presupposes that a careless person is running your website, which I'm sure isn't the case. I'm sure that with some mild vigilance you will be able to take full advantage of our program and maintain a safe and secure site.
CoffeeCup Software started in a real Coffee House 1996. Our first program was the HTML Editor. Over the last 10 years we have created a lot more Web Design & Flash Software. Our philosophy has always been to create software and services so you can make better Websites. We are dedicated to helping you by offering extraordinary support so we can succeed together. Consider us a partner and a friend, because we really are about Fresh Software and Warm People.
