Preventing RFI Attacks With the PHP Function StreamWrapperRestore

The php function stream_wrapper_restore is used to restore the original functionality of the PHP built-in HTTP wrapper. This includes removing the NTLM authentication code and restoring the security barriers that were removed when the web developer took precautions against RFI attacks.

If you are a web developer, it is likely that the developers on your site have started taking precautions against RFI attacks and have blacklisted certain system level commands like system and cmd from being used in input parameters. But even though these barriers have been put in place, it is still possible to get the information that is needed to execute the command. The problem is that if the attacker is able to send a text file to your server it may contain the html element phpinfo with all sorts of sensitive information about your webserver.

In order to do this the attacker will use a file called phpinfo.txt and include it in a POST Request. This will be redirected to the server and the phpinfo will execute as part of the web page. This will allow the attacker to gain access to information about the webserver including usernames, passwords and other data that can be used in an attack.

In order to prevent this you can take the following steps. First, you will need to create a class that implements the stream functions for a specific protocol (HTTP in this case). This class should override all of the stream functions except fclose(). This class should also implement the basic functions require to make it work with the SOAPClient Object.

Andreas Behr - CTO of DesertCoderz
You are a developer and looking for Shopware projects?
Apply Now!

stream_wrapper_restore example

self::$content = $content;
    }

    public static function register()
    {
        stream_wrapper_unregister('php');
        stream_wrapper_register('php', self::class);
    }

    public static function restore()
    {
        stream_wrapper_restore('php');
    }

    public function stream_open(string $path): bool
    {
        return true;
    }

    /** * @return false|string */
    public function stream_read(int $count)
    {
if (!\function_exists('opcache_is_script_cached') || !@opcache_is_script_cached($path)) {
            stream_wrapper_unregister('file');
            stream_wrapper_register('file', self::class);
        }

        return require $path;
    }

    public function stream_open(string $path, string $mode): bool
    {
        stream_wrapper_restore('file');
        $this->path = $path;

        return false !== $this->handle = fopen('compress.zlib://'.$path$mode);
    }

    public function stream_read(int $count): string|false
    {
        return fread($this->handle, $count);
    }

    public function stream_eof(): bool
    {
Home | Imprint | This part of the site doesn't use cookies.