A brief description of the fopen PHP vulnerability

One of the PHP vulnerability that is still being found on many websites is the fopen function in PHP - CVE-2007-0448. You can secure your website by disabling includes when calling the fopen function.

According to cvedetails.com "PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI"

Its usually  not recommended to enable the fopen function in the php.ini, however, some developers include it in the code itself for a specific task. Lets see how this is exploited:

Lets say we have a page called vulnerability.php containing these code

<?php
$vulnerable = $_GET['vulnerable'];
include($vulnerable);
?>

So, $vulnerable = $_GET['vulnerable']; means to put the 'vulnerable' GET property in the variable $vulnerable; i.e GET property that is in the URL. An example is http://mysite.com/page.php?vulnerable=yes&howmuch=Very.

By including the value of the variable ($vulnerable), you allowing an attacker to inject code. Someone for instance can try this on his browser

http://www.mywebsite.com/fopen.php?vulnerable=../../../index.php

This will enable the attacker to get into subdirectories and start exploring the whole directory. However, if you are running PHPFPM for a particular instance, only that particular instance is impacted as PHPFPM allows you to isolate each running instances within the server.

  • selven

    Its a bit naiive to do an include with a variable included…