PHPDeveloper: PHP News, Views and Community

Subscribe

@phpdeveloper.org

News Archive

Community News: Latest PECL Releases (06.17.2025)

Community News: Latest PECL Releases (06.10.2025)

Community News: Latest PECL Releases (06.03.2025)

Community News: Latest PECL Releases (05.27.2025)

Community News: Latest PEAR Releases (05.26.2025)

Community News: Latest PECL Releases (05.20.2025)

Community News: Latest PECL Releases (05.13.2025)

Community News: Latest PECL Releases (05.06.2025)

Community News: Latest PECL Releases (04.29.2025)

Community News: Latest PECL Releases (04.22.2025)

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SecurityTracker:
"PHP Advanced Transfer Manager" Security Alert

byChris Cornutt May 20, 2005 @ 11:17:44

SecurityTracker.com has a new advisory to watch out for in your PHP installations dealing with the "PHP Advanced Transfer Manager":

An include file vulnerability was reported in PHP Advanced Transfer Manager. A remote user can execute arbitrary commands on the target system. If allow_url_fopen is set to 'on' in the 'php.ini' configuration file, the 'include/common.php' script allows a remote user to overwrite the 'include_location' parameter.

A remote user can supply a specially crafted URL to cause arbitrary PHP code to be included and executed by the target system. The PHP code, including operating system commands, will run with the privileges of the target web service.

Unfortunately, there's not a patch listed (yet), but a few simple checks thrown into the file could help with this little security issue...

tagged:

Link: