3

Local/Remote File Inclusion is a serious vulnerability. Best practice to protect against it is to set in php.ini:

allow_url_fopen = Off
allow_url_include = Off
open_basedir = /var/www/html

Clearly, whitelist based validation on user input is important as well, but developers make mistakes and defense in depth is key.

Even with the settings above, the exploit php://filter/convert.base64-encode/resource=index.php still works.

Is there any way to disable php://filter globally or on a per PHP basis?

user2716262
  • 611
  • 3
  • 12
  • 1
    Well i know question it is old, this might be possible with [stream_wrapper_unregister](https://www.php.net/manual/en/function.stream-wrapper-unregister.php) but you close down that complete `php://` wrapper it seams when i read that manual page , so not very usefull it you need `php://input` working in your code, – Raymond Nijland Nov 14 '19 at 15:36
  • you might be enable to use [stream_wrapper_register](https://www.php.net/manual/en/function.stream-wrapper-register.php) do write [custom PHP](https://www.php.net/manual/en/stream.streamwrapper.example-1.php) to stop `php://filter` from working and keep `php://input` working.. Not 100% sure as i never tested it... – Raymond Nijland Nov 14 '19 at 15:40
  • Still it would be challenge as far i know `php://input` is only non deprecated method (`$HTTP_RAW_POST_DATA` is deprecated) which i know off which can read RAW post data from a HTTP request sended to a webserver.. – Raymond Nijland Nov 14 '19 at 15:56
  • One issue with stream_wrapper_unregister is that it is not set on php.ini level, but on per PHP file. – user2716262 Nov 18 '19 at 13:53
  • yes i know i always found it very wierd there was not a ini setting for it.. As you said a attack like `php://filter/convert.base64-encode/resource=index.php` can have huge security implications and very easy to overlook ... maybe look around in the source code maybe there is a possible ini setting which was forgotten to be documentated about this feature.? – Raymond Nijland Nov 19 '19 at 09:50
  • *"One issue with stream_wrapper_unregister is that it is not set on php.ini level, but on per PHP file. "* Maybe some more tweaking with [auto_append_file](https://www.php.net/ini.core#ini.auto-prepend-file) ini setting then? You could run PHP code based on configuration and might be possible to execute those parts i commented about.. – Raymond Nijland Nov 19 '19 at 09:53

0 Answers0