3 {{ upvoteCount | shortNum }}
3 {{ upvoteCount | shortNum }}

Kiosk (GVO) forbids php fopen? file? etc.?

by zapseo
2 replies
I was quite amazed to read in Kiosk's knowledge base that they forbid the use of fopen

They state, in their knowledgebase, the following:

fopen(), file() and other functions in PHP have a vulnerability that makes it possible to add extra HTTP headers to HTTP queries. Attackers may use it to escape certain restrictions, like what host to access on a web server. In some cases, this vulnerability even opens up for arbitrary net connections, turning some PHP scripts into proxies and open mail relays.
Most scripts realize this is a security risk and therefor no longer use this setting in php. Please contract your software author if they ask for this setting, we will only enable this on dedicated servers to protect our network


Ummmm....are they using the same fopen I'm thinking of, the one that simply open files? Or are they referring to using fopen to open URLs?


Simply forbidding fopen seems like the world of php scripts would fall apart, since it is basic to any kind of file handling ...


Thoughts? Ideas? Comments?


Thanks!


Judy

#file #fopen #forbids #gvo #kiosk #php
  • Profile picture of the author entrepenerd
    fopen can be used to open files on the local file system or a URL on a remote server. That's where the security risk lies. Why they disabled fopen entirely I'm not sure. There is a setting that allows the disabling using fopen for remote URLs, but allows you to continue using it for local filesystem requests. That's what they should have done.

    That said, you may still be able to use curl to accomplish what you need.
    Signature
    FREE Video Reveals...
    7 Secrets to Internet Marketing Failure
    ...or, how you can short circuit my mistakes and become an Internet Market Success!!
    {{ DiscussionBoard.errors[1411866].message }}
    • Profile picture of the author zapseo
      Originally Posted by entrepenerd View Post

      fopen can be used to open files on the local file system or a URL on a remote server. That's where the security risk lies. Why they disabled fopen entirely I'm not sure. There is a setting that allows the disabling using fopen for remote URLs, but allows you to continue using it for local filesystem requests. That's what they should have done.

      That said, you may still be able to use curl to accomplish what you need.
      I haven't tried either ... I was just reading what they wrote.
      I suspect that must be what they've done -- I can't imagine too many php programs working without fopen.

      OTOH -- how many OTHER ways can you open a remote URL?
      iframes, javascript, etc.

      oh well.
      Signature
      Speed Read Copy -- 97% Off Value -- RAVE Reviews!
      {{ DiscussionBoard.errors[1413395].message }}

Trending Topics