Page 1 of 1
Is including a remote file a security risk?
Posted: Mon Jan 21, 2008 5:27 pm
by suga
I have always heard that a programmer should never include a remote file and after searching the topic I have found vulnerabilities when a variable is used to determine the URI being used in the include.
For example:
I can understand a vulnerability in this sense, but if the URI is coded into the include are there any vulnerabilities or security issues?
For example:
Code: Select all
<?php
include('http://www.domain.com/banner.php');
?>
Sorry if this sounds like a basic question, but I have always been told never to include remote files, but I have never understood what vulnerabilities might exist if the URI is hard coded. Thanks!
Re: Is including a remote file a security risk?
Posted: Mon Jan 21, 2008 5:42 pm
by Oren
What if
http://www.domain.com/banner.php looked like this:
Code: Select all
some_evil_func_which_fetch_data_from_your_db_and_email_it_to_me();
Re: Is including a remote file a security risk?
Posted: Mon Jan 21, 2008 5:47 pm
by suga
Sorry for not making that clear. If I managed both websites and had full control over
http://www.domain.com/banner.php - but the websites are on separate servers ... would there be a security risk? Is there any other way that a person could inject something into an include request between two servers?
Re: Is including a remote file a security risk?
Posted: Mon Jan 21, 2008 5:57 pm
by Oren
I guess it depends on what you have on the remote file. If the remote file fetches some data from external source than again, you are at risk just as if it wasn't your file. But if that file is managed by you and doesn't use any user input then I guess it'd be secure.
P.S "User input" in this case refer to anything that is coming from the outside world. For example, some sort of code for a banner from one of your advertisers.
Re: Is including a remote file a security risk?
Posted: Mon Jan 21, 2008 6:10 pm
by Christopher
If you control both sites it should be ok ... but the find ways to hack just about anything. If you could find a way to do it as a data feed rather than executing remode code -- that would be preferable. Why do you need that file parsed?
Re: Is including a remote file a security risk?
Posted: Mon Jan 21, 2008 6:47 pm
by suga
I have a dynamic navigation on one website that changes each week and I am setting up a sub-domain of that website on another server to set-up a blog. I need to pull in the navigation HTML on a regular basis so the navigation is up-to-date and thought about using the readfile function to pull the HTML code. I was just curious what vulnerabilities there were when using an include function as this would be an easier process.
Thanks for the insight - let me know if you have any other thoughts about this.
Re: Is including a remote file a security risk?
Posted: Mon Jan 21, 2008 6:55 pm
by Christopher
Every vector you open up to remote code execution is a potential exploit. You may have it locked down now, but next year you change something and you have unknowingly opened a door into your server. I would use some kind of data exchange web service if possible.
Re: Is including a remote file a security risk?
Posted: Tue Jan 22, 2008 2:53 am
by VladSun
It's vulnerable to man-in-the-middle-attack ...
Re: Is including a remote file a security risk?
Posted: Tue Jan 22, 2008 3:05 am
by VladSun
The easiest way to defend against these attacks (supposing you are not able to use ssh tunnels or https) would be to sign the file contents.
Re: Is including a remote file a security risk?
Posted: Tue Jan 22, 2008 3:36 am
by Mordred
arborint wrote:Every vector you open up to remote code execution is a potential exploit. You may have it locked down now, but next year you change something and you have unknowingly opened a door into your server. I would use some kind of data exchange web service if possible.
+1
You shouldn't need to remotely include a file. Since you control both servers, just copy it, you lazy person

You could set up a cron job as well. Pulling it every time remotely may put strain on both servers or at least make the including page unresponsive.
Re: Is including a remote file a security risk?
Posted: Tue Jan 22, 2008 10:21 am
by suga
Thank you arborint and everyone else - those are all valid points.
Mordred, I thought about this last night. My thought was to set up a cron that would initiate a script creating the latest version of the navigation and then FTP (or I suppose SFTP) the HTML file to the new server. Did you have an idea of a better way to do this?
Re: Is including a remote file a security risk?
Posted: Tue Jan 22, 2008 10:39 am
by VladSun
You can use
scp.
Also, maybe
rsync would be helpful:
http://sial.org/howto/rsync/