PHP allow_url_include is enabled

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 CWE - 16 WASC-13

The allow_url_include allows a developer to include a remote file using a URL rather than a local file path. This technique is used to reduce the load on the server. The allow_url_include is used to access open source resources in the application. There are many servers with PHP configuration directive allow_url_include as enabled. When this setting is enabled, the server’s directory allows data retrieval from remote locations. If the user inputs are not properly validated, the attacker can conduct remote file inclusion attack on the server. If allow_url_include is enabled, an attacker can get data from remote locations using functions like fopen() and file_get_contents. If allow_url_fopen is disabled, then allow_url_include will also be disabled by default. The allow_url_include setting is available in PHP from versions 5.2 and above.


The below code is an example of allow_url_include:-




Using this vulnerability, an attacker can:-

  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

Disable allow_url_include in php.ini or .htaccess.





        php_flag allow_url_include off


Latest Articles