A brief description of the fopen PHP vulnerability

One of the PHP vulnerability that is still being found on many websites is the fopen function in PHP - CVE-2007-0448. You can secure your website by disabling includes when calling the fopen function.

According to cvedetails.com "PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI"

A brief description of the fopen PHP vulnerability 1

It's usually not recommended to enable the fopen function in the php.ini, however, some developers include it in the code itself for a specific task. Let's see how this is exploited:

Let's say we have a page called vulnerability.php containing these code

<?php
$vulnerable = $_GET['vulnerable'];
include($vulnerable);
?>

So, $vulnerable = $_GET['vulnerable']; means to put the 'vulnerable' GET property in the variable $vulnerable; i.e GET property that is in the URL. An example is http://mysite.com/page.php?vulnerable=yes&howmuch=Very.

By including the value of the variable ($vulnerable), you allowing an attacker to inject code. Someone, for instance, can try this on his browser

http://www.mywebsite.com/fopen.php?vulnerable=../../../index.php

This will enable the attacker to get into subdirectories and start exploring the whole directory. However, if you are running PHP-FPM for a particular instance, only that particular instance is impacted as PHP-FPM allows you to isolate each running instances within the server.