Description
This vulnerability was detected using the information from phpinfo() page.
When the “allow_url_include” option is enabled, it is possible to retrieve data from remote places such as servers for uploading files (FTP) or websites using functions like “fopen”.
If a user’s input is not being validated properly, we may be exposed to “remote file inclusion vulnerabilities”.
This may have several different consequences, depending on the included functionality, some examples are :
- Injection of malicious malware.
- Information exposure by granting excessive privileges or permissions to the untrusted sources or functions.
- Stealing user’s saved session data (Cookies).
Recommendation
Disable “allow_url_include” from :
- For php.ini : allow_url_include = ‘off’
- For .htaccess : php_flag allow_url_include off.
References
https://www.php.net/manual/en/filesystem.configuration.php