Advertisement:

Author Topic: allow_url_fopen is an important security problem. Please, Disable it!  (Read 1860 times)

dev101

  • Osclass Hero
  • Hero Member
  • *
  • Posts: 2155
  • osclass.work
Re: allow_url_fopen is an important security problem. Please, Disable it!
« Reply #15 on: November 13, 2017, 01:53:43 am »
Can some of you 'experts' :) explain to me why is allow_url_fopen considered a liability, and cURL some magical safety? :P

It's the same thing from a functional perspective, I mean, cURL is much more powerful and has a better error reporting, but other than that, it is not more secure...

imotor

  • Newbie
  • *
  • Posts: 12
Re: allow_url_fopen is an important security problem. Please, Disable it!
« Reply #16 on: November 13, 2017, 10:13:44 am »
I'm not an "expert" but cURL is simply the best option in this case and the question is: why not use the best option?

dev101

  • Osclass Hero
  • Hero Member
  • *
  • Posts: 2155
  • osclass.work
Re: allow_url_fopen is an important security problem. Please, Disable it!
« Reply #17 on: November 13, 2017, 10:36:55 am »
That does not really answers the question :)

If someone, somehow, gains ability to call things outside on their own will, how will cURL protect you, and, say, fgc will fail?

But, also, why do you think that for recaptcha implementation it is the 'best' option? Maybe faster marginally (depends), but why else? :)

cURL replacement/support is trivial to add into recaptcha, and Osclass even has a fallback library to emulate it if needed, but -- tell me -- why is that method more secure?

Regards

imotor

  • Newbie
  • *
  • Posts: 12
Re: allow_url_fopen is an important security problem. Please, Disable it!
« Reply #18 on: November 13, 2017, 01:51:07 pm »
How many questions do I have to answer to defend my option!!  ??? right? ;)

Come on, another question: Do You think that allow_url_fopen is better option than cURL for ReCaptcha? Not me, it's my opinion.



Aficionado

  • Guest
Re: allow_url_fopen is an important security problem. Please, Disable it!
« Reply #19 on: November 13, 2017, 02:33:14 pm »
How many questions do I have to answer to defend my option!!  ??? right? ;)

Come on, another question: Do You think that allow_url_fopen is better option than cURL for ReCaptcha? Not me, it's my opinion.

I think dev101 told you everything needed. He knows what he is talking about and i trust his programming and reseach skils. I also told you some from my experience in hosting.

Really, there is nothing else to say.

imotor

  • Newbie
  • *
  • Posts: 12
Re: allow_url_fopen is an important security problem. Please, Disable it!
« Reply #20 on: November 13, 2017, 08:45:44 pm »
Really, there is nothing else to say.
This is not a good posture in a forum.
Okay, I will not go into disputes with anyone.  ???

This topic is about having the possibility to use ReCaptcha without having enabled allow_url_fopen and by the way, I also speak about my experience as Server Administrator. But my experience or that of anyone is not the issue.

Aficionado

  • Guest
Re: allow_url_fopen is an important security problem. Please, Disable it!
« Reply #21 on: November 13, 2017, 09:04:14 pm »
No dispute, just ... there is nothing more to say or do about this. You posted your request, you got some replies, there is nothing else we could do about it.

Personally i have a great list of what i don't like or i want to be changed in Osclass, during the years i asked about them once, then i learned to live with all the limitations.

Security is a huge talk, beyond the scope of this forum. Also you could contact directly Osclass team and ask/request what you want.


Aficionado

  • Guest
Re: allow_url_fopen is an important security problem. Please, Disable it!
« Reply #22 on: November 13, 2017, 10:10:04 pm »
Also if that plugin exists on Github, you could add your request in there.


dev101

  • Osclass Hero
  • Hero Member
  • *
  • Posts: 2155
  • osclass.work
Re: allow_url_fopen is an important security problem. Please, Disable it!
« Reply #23 on: November 13, 2017, 11:32:58 pm »
My point here is to educate users, especially beginners who are most vulnerable (and scared) to misinformation.

One way to really secure your server from some potential abuse of url or file fetching (which both methods discussed here are used for) is to stop it in a higher layer above PHP. That means your server's firewall (not php-powered firewall, as it also might get compromised). Unless your server is badly configured to allow web user that controls/operate your server and php processes to write or delete files outside a public web folder (which would be a very bad and sad situation), there would be no way that some hacker who injected some php code or whatever pulls additional external files from an arbitrary malicious ip address. But, maintaining whitelists is painful, not to mention even experienced users avoid it, as IPs change over time, rare for big companies like Google, but... maybe through reverse dns check or something it is more reliable, but all that is outside php scope.

That is how I think about this security related. Now, I do not claim that this is correct, but it makes to me much more sense, because there is nothing built-in inside cURL that identifies and filters 'bad/unauthorized' requests from the 'good' ones.

Regards

Aficionado

  • Guest
Re: allow_url_fopen is an important security problem. Please, Disable it!
« Reply #24 on: November 13, 2017, 11:42:25 pm »
The best firewall/security is actually a backup, done correctly. Simple as that.