PHP allow_url_fopen is enabled

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 CWE - 16 WASC-13

llow_url_fopen is used to retrieve data from remote servers and websites. There are servers with allow_url_fopen as enabled. The allow_url_fopen carries a risk of:-

  • Enabling Remote File Execution

  • Access Control Bypass

  • Information Disclosure Attacks

If an attacker can inject a remote URI into the file function. The function could manipulate an application into:-

  • executing the fetched file

  • storing the fetched file

  • displaying the fetched file

The function will perform the above operations in untrusted sources too.


Using this vulnerability, an attacker can:-

  • perform manipulation of sensitive information

  • leak sensitive information

  • gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Disable allow_url_fopen in php.ini or .htaccess.

Latest Articles