PHP allow_url_include enabled

Description
  • The PHP configuration directive allow_url_include is enabled. When enabled, this directive allows data retrieval from remote locations (web site or FTP server) for functions like fopen and file_get_contents. If user input is not properly validated, this can conduct to remote file inclusion vulnerabilities. <br/><br/>allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled. This setting is only available since PHP 5.2.
Remediation
  • You can disable allow_url_include from php.ini or .htaccess.<br/><br/><strong>php.ini</strong><br/>allow_url_include = 'off'<br/><br/><strong>.htaccess</strong><br/>php_flag allow_url_include off<br/>
References