Robert Faulkner
Posted in General Discussion 7 years ago
Hi Arsalan,
Thanks for taking an interest in my post over on softwarerecs.stackexchange.com re allowurlfopen.
You said that this function is used to allow developers to retrieve files from across the internet, so from an external source? Is this in order to effectively protect users data outside the root directory, in the data folder, as suggested in your installation / setup documentation?
You also say that you do not see this as a security issue, which is great, but when I Google allowurlfopen there are many many results stating its vulnerability, and in some results even offering exploits to take advantage of, what appears to be a loop hole.
The first result in Google states:
PHP scripts that can access remote files are potentially vulnerable to arbitrary code injection. When the allowurlfopen directive is enabled, you can write scripts that open remote files as if they are local files. For example, you can use the filegetcontents function to retrieve the contents of a web page.
I do like this open source social network as the functionality follows that of Facebook, and being a Facebook group who I am looking to set this up for, this would provide the most seamless experience for my community. However, the security of my community is paramount and so would really like to be sure on the platform I eventually use.
As a side note, another important factor that I must consider is mobile access. Which is one of the reasons I was attracted to crea8socialPRO. Does your platform offer a mobile platform, or do the site pages render effectively across devices i.e. using HTML5 for example? I don't see mobile in the list of features, but I do see a mobile image in your slider(2) on the home page.
Thanks for all your help, and hope you can satisfy all my concerns.
Thanks
Rob
Arsalan Shah
Replied 7 years ago
Hello Robert, the below answer by Zet is correct :)
Michael Zülsdorff
Replied 7 years ago
A good friend of mine once said: The moment you plug in your lan cable is the moment you start losing control. Nevertheless: We did. We weren't still thinking of wlan those days. Right now, wlan connected TVs might switch on their cameras and mics - spying out what we're doing. But the majority will continue to buy TVs. And as the years go passing by, our children won't even imagine a TV without these features.
Related to the community you're planning that means: You'll be confronted with people asking for features. And more features. And the ability to upload some stuff is only a basic one. Hence you HAVE to be able to allow contacting foreign urls - otherwise your forum will be marked 'outdated'.
Opening a door like that of course means opening a door for bad guys. But from my point of view Ossn is doing a real good job preventing hacks and getting infected because of it's numerous sanity checks under the hood. And in fact I haven't heard about any Ossn community being hacked so far.
Due to the many requests in the past for additonal features and components we have decided to develope a premium version. Features like Hashtags, Videos, Polls, Events, Stories, Link Preview, etc included in it.
$199 (Life Time)
