Vulnerability
llow_url_fopen is used to retrieve data from remote servers and websites. There are servers with allow_url_fopen as enabled. The allow_url_fopen carries a risk of:-
Enabling Remote File Execution
Access Control Bypass
Information Disclosure Attacks
If an attacker can inject a remote URI into the file function. The function could manipulate an application into:-
executing the fetched file
storing the fetched file
displaying the fetched file
The function will perform the above operations in untrusted sources too.
Impact
Using this vulnerability, an attacker can:-
perform manipulation of sensitive information
leak sensitive information
gain administrator access to the web application
Mitigation / Precaution
Beagle recommends the following fixes:-
- Disable allow_url_fopen in php.ini or .htaccess.
Written by
Summarize:
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 14 days
