The allow_url_include allows a developer to include a remote file using a URL rather than a local file path. This technique is used to reduce the load on the server. The allow_url_include is used to access open source resources in the application. There are many servers with PHP configuration directive allow_url_include as enabled. When this setting is enabled, the server’s directory allows data retrieval from remote locations. If the user inputs are not properly validated, the attacker can conduct remote file inclusion attack on the server. If allow_url_include is enabled, an attacker can get data from remote locations using functions like fopen() and file_get_contents. If allow_url_fopen is disabled, then allow_url_include will also be disabled by default. The allow_url_include setting is available in PHP from versions 5.2 and above.
Example
The below code is an example of allow_url_include:-
allow_url_include=on
Impact
Using this vulnerability, an attacker can:-
- manipulate sensitive information
- leak sensitive information
- gain administrator access to the web application
Mitigation / Precaution
Beagle recommends the following fixes:-
Disable allow_url_include in php.ini or .htaccess.
php.ini
allow_url_include=off
.htaccess
php_flag allow_url_include off
