Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
PHP enable_dl enabled - Vulnerability Database

PHP enable_dl enabled

Description

The PHP configuration directive 'enable_dl' controls whether the dl() function can dynamically load PHP extensions at runtime. When enabled (the default setting), this feature allows applications to bypass safe_mode security restrictions and load arbitrary PHP modules, potentially introducing unauthorized code execution paths. This setting is particularly concerning in shared hosting environments or when running untrusted code.

Remediation

Disable the enable_dl directive in your PHP configuration to prevent dynamic loading of PHP extensions:

Step 1: Locate your php.ini file (typically in /etc/php.ini or /etc/php/[version]/php.ini)

Step 2: Add or modify the following directive:

enable_dl = Off

Step 3: Restart your web server to apply the changes:
# For Apache
sudo systemctl restart apache2

# For Nginx with PHP-FPM
sudo systemctl restart php-fpm

Step 4: Verify the change by creating a PHP file with phpinfo() and confirming enable_dl shows as 'Off'

Note: If your application legitimately requires specific PHP extensions, install them statically through your package manager rather than loading them dynamically.

References

PHP enable_dl Is Enabled | Invicti

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration
Web Cache Poisoning through HTTP/2 pseudo-headers High
Common tags: Configuration
qdPM Information Disclosure High
Common tags: Configuration
Python Debugger Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Inspector Unauthorized Access Vulnerability High
Common tags: Configuration

Severity

Medium

Classification

CWE-470
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration