Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
PHP allow_url_include enabled - Vulnerability Database

PHP allow_url_include enabled

Description

The PHP configuration directive allow_url_include is enabled on the server. This setting permits PHP include functions (such as include(), require(), include_once(), and require_once()) to retrieve and execute files from remote locations via HTTP or FTP protocols. When combined with insufficient input validation, this configuration creates opportunities for Remote File Inclusion (RFI) attacks, where attackers can inject and execute malicious code from external sources. This directive has been disabled by default since PHP 5.2 due to security concerns.

Remediation

Disable the allow_url_include directive unless there is a specific, documented business requirement for remote file inclusion. This setting should remain disabled in production environments.

Method 1: Disable in php.ini (Recommended)
Locate your php.ini file and set:

allow_url_include = Off

After making changes, restart your web server to apply the configuration.

Method 2: Disable in .htaccess (Apache only)
Add the following line to your .htaccess file:
php_flag allow_url_include Off

Verification:
Confirm the setting is disabled by checking the output of phpinfo() or running:
php -i | grep allow_url_include

Additional Security Measures:
Even with this setting disabled, always validate and sanitize file paths used in include statements. Use allowlists of permitted files rather than accepting arbitrary user input.

References

PHP allow_url_include Is Enabled - Invicti

Related Vulnerabilities

PHP open_basedir Is Not Configured Low
Common tags: Configuration File Inclusion
PHP allow_url_fopen Is Enabled Low
Common tags: Configuration File Inclusion
PHP allow_url_include Is Enabled Low
Common tags: Configuration File Inclusion
default-src Used in Content Security Policy (CSP) Information
Common tags: Configuration
Invalid Content Security Policy (CSP) Directive Identified in meta Elements Information
Common tags: Configuration

Severity

Low

Classification

CWE-829
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration
File Inclusion