PHP allow_url_fopen is enabled

Febna V M
Published on
02 Jul 2018

llow_url_fopen is used to retrieve data from remote servers and websites. There are servers with allow_url_fopen as enabled. The allow_url_fopen carries a risk of:-

  • Enabling Remote File Execution

  • Access Control Bypass

  • Information Disclosure Attacks

If an attacker can inject a remote URI into the file function. The function could manipulate an application into:-

  • executing the fetched file

  • storing the fetched file

  • displaying the fetched file

The function will perform the above operations in untrusted sources too.


Using this vulnerability, an attacker can:-

  • perform manipulation of sensitive information

  • leak sensitive information

  • gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Disable allow_url_fopen in php.ini or .htaccess.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment