Is including a remote file a security risk?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
suga
Forum Newbie
Posts: 4
Joined: Mon Jan 21, 2008 5:14 pm

Is including a remote file a security risk?

Post by suga »

I have always heard that a programmer should never include a remote file and after searching the topic I have found vulnerabilities when a variable is used to determine the URI being used in the include.

For example:

Code: Select all

<?php
include($page);
?>
I can understand a vulnerability in this sense, but if the URI is coded into the include are there any vulnerabilities or security issues?

For example:

Code: Select all

<?php
include('http://www.domain.com/banner.php');
?>
Sorry if this sounds like a basic question, but I have always been told never to include remote files, but I have never understood what vulnerabilities might exist if the URI is hard coded. Thanks!
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Re: Is including a remote file a security risk?

Post by Oren »

What if http://www.domain.com/banner.php looked like this:

Code: Select all

some_evil_func_which_fetch_data_from_your_db_and_email_it_to_me();
suga
Forum Newbie
Posts: 4
Joined: Mon Jan 21, 2008 5:14 pm

Re: Is including a remote file a security risk?

Post by suga »

Sorry for not making that clear. If I managed both websites and had full control over http://www.domain.com/banner.php - but the websites are on separate servers ... would there be a security risk? Is there any other way that a person could inject something into an include request between two servers?
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Re: Is including a remote file a security risk?

Post by Oren »

I guess it depends on what you have on the remote file. If the remote file fetches some data from external source than again, you are at risk just as if it wasn't your file. But if that file is managed by you and doesn't use any user input then I guess it'd be secure.

P.S "User input" in this case refer to anything that is coming from the outside world. For example, some sort of code for a banner from one of your advertisers.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Is including a remote file a security risk?

Post by Christopher »

If you control both sites it should be ok ... but the find ways to hack just about anything. If you could find a way to do it as a data feed rather than executing remode code -- that would be preferable. Why do you need that file parsed?
(#10850)
suga
Forum Newbie
Posts: 4
Joined: Mon Jan 21, 2008 5:14 pm

Re: Is including a remote file a security risk?

Post by suga »

I have a dynamic navigation on one website that changes each week and I am setting up a sub-domain of that website on another server to set-up a blog. I need to pull in the navigation HTML on a regular basis so the navigation is up-to-date and thought about using the readfile function to pull the HTML code. I was just curious what vulnerabilities there were when using an include function as this would be an easier process.

Thanks for the insight - let me know if you have any other thoughts about this.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Is including a remote file a security risk?

Post by Christopher »

Every vector you open up to remote code execution is a potential exploit. You may have it locked down now, but next year you change something and you have unknowingly opened a door into your server. I would use some kind of data exchange web service if possible.
(#10850)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Is including a remote file a security risk?

Post by VladSun »

It's vulnerable to man-in-the-middle-attack ...
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Is including a remote file a security risk?

Post by VladSun »

The easiest way to defend against these attacks (supposing you are not able to use ssh tunnels or https) would be to sign the file contents.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Is including a remote file a security risk?

Post by Mordred »

arborint wrote:Every vector you open up to remote code execution is a potential exploit. You may have it locked down now, but next year you change something and you have unknowingly opened a door into your server. I would use some kind of data exchange web service if possible.
+1

You shouldn't need to remotely include a file. Since you control both servers, just copy it, you lazy person ;)
You could set up a cron job as well. Pulling it every time remotely may put strain on both servers or at least make the including page unresponsive.
suga
Forum Newbie
Posts: 4
Joined: Mon Jan 21, 2008 5:14 pm

Re: Is including a remote file a security risk?

Post by suga »

Thank you arborint and everyone else - those are all valid points.

Mordred, I thought about this last night. My thought was to set up a cron that would initiate a script creating the latest version of the navigation and then FTP (or I suppose SFTP) the HTML file to the new server. Did you have an idea of a better way to do this?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Is including a remote file a security risk?

Post by VladSun »

You can use scp.
Also, maybe rsync would be helpful:
http://sial.org/howto/rsync/
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply