Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

allow_url_fopen setting on server Rate Topic   - - - - -

 
  • DELTA9000
  • Senior Member
  • Authorized Reseller
  • Join Date: 17-Apr 07
  • 356 posts

Posted 26 May 2008 - 01:25 PM #1

Can I get some feed back on what people are generally using for this setting on their server?

I had some funny php files a long time ago and a reply mentioned this setting was ON and caused people to create these 12345667.php files in my 777 folders - so turned it off, but now newsletter images dont get emailed to subscribers (mentioned this in seperate post) - can anyone confirm required/recommended settings for this value and how to make newsletter images work - as the OFF value seems to be stopping them from showing.

Thanks in advance

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 26 May 2008 - 05:11 PM #2

I can't explain it any better than this article
http://phpsec.org/pr..._url_fopen.html

It can be an extremely dangerous function to allow especially on servers without additional security measures in place to help prevent remote file exploitations.

As this article mentions, nearly any code written to require url_fopen can be improved to use cURL instead which is more secure. The CS developers do seem to prefer using fopen instead for some reason in some of their code and also modifications they have created for some of my clients. I have refused to allow some of their modifications created requiring this in the past and they did then rewrite the code to use cURL instead.
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • DELTA9000
  • Senior Member
  • Authorized Reseller
  • Join Date: 17-Apr 07
  • 356 posts

Posted 26 May 2008 - 05:34 PM #3

Thanks combs for the article - as I mentioned on my dedicated server I had these funny php files, and I turned the setting OFF, manually deleted them all, and never had problem again - but like I said now I dont get images going in the newsletters - I am wondering if someone has a work around for this?

Thanks very much - I prefer the secuirty over images any day of the week