PHP allow_url_fopen is enabled

By
Febna V M
Published on
02 Jul 2018
Vulnerability

llow_url_fopen is used to retrieve data from remote servers and websites. There are servers with allow_url_fopen as enabled. The allow_url_fopen carries a risk of:-

  • Enabling Remote File Execution

  • Access Control Bypass

  • Information Disclosure Attacks

If an attacker can inject a remote URI into the file function. The function could manipulate an application into:-

  • executing the fetched file

  • storing the fetched file

  • displaying the fetched file

The function will perform the above operations in untrusted sources too.

Impact

Using this vulnerability, an attacker can:-

  • perform manipulation of sensitive information

  • leak sensitive information

  • gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Disable allow_url_fopen in php.ini or .htaccess.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.