Description

The PHP configuration directive allow_url_include is enabled. When enabled, this directive allows data retrieval from remote locations (web site or FTP server) for functions like fopen and file_get_contents. If user input is not properly validated, this can conduct to remote file inclusion vulnerabilities.

allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled. This setting is only available since PHP 5.2.

Remediation

You can disable allow_url_include from php.ini or .htaccess.

php.ini
allow_url_include = 'off'

.htaccess
php_flag allow_url_include off

Related Vulnerabilities

Apache Proxy HTTP CONNECT method enabled

Nginx PHP code execution via FastCGI

Apache perl-status enabled

Passive Mixed Content over HTTPS

Joomla J!Dump extension enabled

Severity

High

Classification

CWE-829 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration File Inclusion