Invicti detected that the
open_basedir configuration directive was not set.
open_basedir configuration directive can be used to restrict the folders from which local files may be included by PHP. It, therefore, acts as an effective defense-in-depth mechanism against local file inclusions. It works by taking the path to your web application as a parameter and subsequently refusing access to any file or folder that is further up in the directory tree.
It is important to note that attackers might still include configuration files under the specified directory or read the content of your PHP scripts, should they find a local file inclusion vulnerability in your application. This directive solely prevents them from including other files on the system, such as your server's access log.
In order to activate the
open_basedir protection, you need to define a
php.ini directive of the same name. This can be set in the php.ini file by adding or modifying the directive as seen in the example below.
open_basedir = /var/www/html/
Please note that in the versions below PHP 5.3.0, the mode for allowing to change the directive was specified as PHP_INI_SYSTEM, which means that it was only possible to set it in the
httpd.conf files. However, starting from PHP 5.3.0, this changed to
PHP_INI_ALL, which means it can be set in
user.ini, and the Windows registry or programmatically using