Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
PHP allow_url_include enabled - Vulnerability Database

PHP allow_url_include enabled

Description

The PHP configuration directive allow_url_include is enabled. When enabled, this directive allows data retrieval from remote locations (web site or FTP server) for functions like fopen and file_get_contents. If user input is not properly validated, this can conduct to remote file inclusion vulnerabilities.

allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled. This setting is only available since PHP 5.2.

Remediation

You can disable allow_url_include from php.ini or .htaccess.<br/><br/> <strong>php.ini</strong><br/> allow_url_include = 'off'<br/><br/> <strong>.htaccess</strong><br/> php_flag allow_url_include off<br/>

References

PHP allow_url_include Is Enabled - Invicti

Related Vulnerabilities

PHP allow_url_fopen Is Enabled Low
Common tags: Configuration File Inclusion
PHP open_basedir Is Not Configured Low
Common tags: Configuration File Inclusion
PHP allow_url_include Is Enabled Low
Common tags: Configuration File Inclusion
Trace.axd Detected High
Common tags: Configuration
Nonce Usage Detected in Content Security Policy (CSP) Directive Information
Common tags: Configuration

Severity

Low

Classification

CWE-829
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration
File Inclusion