LOGIN
CONTACT SALES
LOGIN
CONTACT SALES

allow_url_include Enabled

Description

This vulnerability was detected using the information from phpinfo() page.
When the “allow_url_include” option is enabled, it is possible to retrieve data from remote places such as servers for uploading files (FTP) or websites using functions like “fopen”.
If a user’s input is not being validated properly, we may be exposed to “remote file inclusion vulnerabilities”.

This may have several different consequences, depending on the included functionality, some examples are :

  • Injection of malicious malware.
  • Information exposure by granting excessive privileges or permissions to the untrusted sources or functions.
  • Stealing user’s saved session data (Cookies).

Recommendation

Disable “allow_url_include” from :

  • For php.ini : allow_url_include = ‘off’
  • For .htaccess : php_flag allow_url_include off.

References

https://www.php.net/manual/en/filesystem.configuration.php

https://cwe.mitre.org/data/definitions/16.html

< Return to all Vulnerabilities

Request a Demo

Red Team

You’ve probably heard that there are teams in the Cyber field called Red Team and Blue Team. Let’s talk about the red one, shall we?

Read More »
Facebook Linkedin

Company

Resources

Docs

Latest posts

PING US
Facebook Linkedin