Allow_url_fopen a security risk?

hiltennis · 20 November 2017 09:45

The success page after registration was not working as expected and I have run the s2Member “server-scanner” on our hosted webserver. https://hamar-tennis.no/s2-server-scanner.php According to the result there is a problem with connection issue. The recommendation is to enable fopen(). This is also something that is recommended in another thread here on the forums https://www.s2member.com/forums/topic/custom-success-page-after-registration/index.html#post-47952

I have been in contact with our hosting company and according to them fopen() has been deactivated as it poses a “great security risk”. “Enabling fopen() will open for injecting malicious code if not implemented correctly”. Our hosting company refuses to enable fopen as this can be used to enable a script that can be used to send spam-mail from the server. My question is: is it only the success page that will not work because of this, or are there other features in s2member that are depending on this function?

KTS915 · 20 November 2017 15:12

I suggest you change host.

hiltennis · 20 November 2017 17:58

@KTS915 When a software is using a function that is dependent on a known vulnerability I’m thinking it’s because the developers either sacrifices security for functionality or they don’t think it’s important enough to develop software that will be secure. I’m ok with some of the functions in s2member not working, all I was asking is if there are more functionality than the “thank you page” that is depending on this. Another option would be of course to choose a different WP member plugin that uses functions that are secure to use…

KTS915 · 20 November 2017 21:33

It’s not a “known vulnerability,” so your comment is beside the point. The fact that your host has said it is suggests you should move to a host who doesn’t make inaccurate assertions.

hiltennis · 20 November 2017 22:03

Maybe a “recommendation” is a better word for it then http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html I know our host is very strict and has tightened their security in the last year. Maybe they have experienced something that makes them be “better safe than sorry”? It would really help if you or someone else could tell me if fopen() is used for more than just the “thank you page”. We just purchased s2member pro and so far this is the only thing that I have seen that is not working as expected. We plan to be using s2Member Pro API For Remote Operations https://s2member.com/kb-article/pro-api-for-remote-operations/ do you know if this is this something that will be affected by this?

KTS915 · 21 November 2017 04:16

The web page to which you link confuses several different things. But then it was written in 2007 when PHP was at version 0.2.1! Things are a little different now. And the current version is 7.1, with 7.2 due out later this month.

As the answer at the bottom of this page makes clear, allow_url_fopen is safe.

If your host really cares about safety and security, I assume that they prevent you from editing theme and plugin files on the fly, which is easily the most insecure part of WordPress and is a far bigger issue. There are several others: do they disable XML-RPC, for example? Have they overridden the default WP password encryption algorithm? What about security headers in header.php? These are all much more significant issues than allow_url_fopen.

I have no idea whether disabling allow_url_fopen will cause other issues. I have never tried, and I haven’t looked at the code. But it seems odd to want to use software that you know is going to be handicapped from the start. Once you go down that route, you are almost certain to find further problems ahead – and they will occur when you least want them to. Changing either host or plugin seems a much more robust solution.

hiltennis · 21 November 2017 13:47

Hi @KTS915 I owe you an apology! I should have done some more background check before assuming that s2member is using a “known vulnerability”. It turns out that my host in fact had allow_url_fopen activated, but the reason the s2member server check failed was because they had deactivated “loopback” because they had experienced some instances of badly written plugins that would cause curl to run “against itself” which in turn would cause problems for the servers. Thank you again for taking the time to answer my question. Lesson learned, all green now! https://hamar-tennis.no/s2-server-scanner.php

The only thing now that’s “bugging me” is how to create a payment notification after a purchase using a Stripe Pro-form Create payment notification from a Stripe payment Maybe you could give me some pointers?

KTS915 · 21 November 2017 14:21

Apology accepted!

That makes perfect sense.

I have made a suggestion about the other issue on that thread.

dfavor · 22 November 2017 13:43

Still think Tim’s suggestion - Change hosting - still holds.

Disabling loopbacks is… well… will break all manner of things, creating subtle site bugs/instability which is impossible to debug, unless you’re on the command line + you’re a Linux Savant.

I’d never setup one of my hosting clients + turn off something so fundamental for normal site operation.

If your hosting company disabled Loopbacks, you have to wonder what other nonsense they’ve done.