On Sun, Mar 20, 2005 at 01:47:35AM +0100, Ulf Harnhammar wrote:
> An interesting idea and script!
>
> Remote file inclusion requires that the variable is placed at the start of the include() or require() parameter.
(...)
> But not this:
>
> include("templatedir/$file");
But that is vulnerable to a local directory traversal, isn't it? Coupled
with a local attack (dropping php files somewhere, maybe through an upload
form) it can lead to privilege escalation and remote execution (as you will
make the serve read and execute code privilege from external locations).
That is, unless you configure PHP to prevent this kind of attacks by
setting 'safe_mode' to on and setting 'open_basedir' to an specific set of
directories. But, then again, you can also prevent remote file inclusion by
setting 'allow_url_fopen' to 'Off'.
Regards
Javier