PHP allow_url_fopen enabled

Description

The PHP configuration directive allow_url_fopen is enabled. When enabled, this directive allows data retrieval from remote locations (web site or FTP server). A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.

allow_url_fopen is enabled by default.

Remediation

You can disable allow_url_fopen from php.ini or .htaccess.

php.ini
allow_url_fopen = 'off'

.htaccess
php_flag allow_url_fopen off

References