PHP allow_url_include is enabled

Nash N Sulthan
Published on
02 Jul 2018
1 min read

The allow_url_include allows a developer to include a remote file using a URL rather than a local file path. This technique is used to reduce the load on the server. The allow_url_include is used to access open source resources in the application. There are many servers with PHP configuration directive allow_url_include as enabled. When this setting is enabled, the server’s directory allows data retrieval from remote locations. If the user inputs are not properly validated, the attacker can conduct remote file inclusion attack on the server. If allow_url_include is enabled, an attacker can get data from remote locations using functions like fopen() and file_get_contents. If allow_url_fopen is disabled, then allow_url_include will also be disabled by default. The allow_url_include setting is available in PHP from versions 5.2 and above.


The below code is an example of allow_url_include:-




Using this vulnerability, an attacker can:-

  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

Disable allow_url_include in php.ini or .htaccess.





        php_flag allow_url_include off

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.