Just got this in my local PHP UG and thought I'd share....


http://story.news.yahoo.com/news?tmpl=story&u=/pcworld/119051

Someone even wrote a worm for that? wow...

<grumpy>it's the most recent form of spam: warnings against incorrect use of require() or include(). I wish they at least udes it to promote the use of require_once()</grumpy>

I can't believe that there were people (let alone wordlwide used packages) actually including pages like that.

I don't get that ... what are "unsafe uses of include() and require()" ?

My local PHPUG had the same question. I think something like this...


include("../includes/".$_GET['page']);


is what is being exploited. But no one here would allow for direct user input into an include / require right??? ;)

no. the example you posted will only return a warning if the file isn't found. and it will start looking for the file in a directory on your server so it would be impossible to have it include external files.

but if your code would look like

include($_GET['page']); // bad code !!

then you could get into problems. because if someone submits the url
http://stupid.com/index.php?page=http://www.codingforums.com/index.php

then the CF indexpage will actually be imported and parsed (since it's http, that wount result in more then some html being added to the output). So they could link to an external php-page and ...

including external pages is only possible on windows from PHP version 4.3.0 so maybe that is why there are turning up more worms now. on *nix it's always been possible.
but you need to have allow_url_fopen enabled for it (default) so it's actually rather easy to prevent this exploit (even by the host since this config can only be set inside the php.ini)