File access functions in PHP are typically used to open local files. They are also capable of reading files from remote servers using protocols such as HTTP, HTTPS and FTP.

This behavior is controlled by the allow_url_fopen and allow_url_include settings.

Why is this an issue?

Most applications do not require or expect the file access functions to download remotely accessible files. However, attackers can abuse these remote file access features while exploiting other vulnerabilities, such as path traversal issues.

What is the potential impact?

While activating these settings does not pose a direct threat to the application’s security, they can make the exploitation of other vulnerabilities easier and more severe.

If an attacker can control a file location while allow_url_fopen is set to 1, they can use this ability to perform a Server-Side Request Forgery exploit. This allows the attacker to affect more than just the local application and they may be able to laterally attack other assets on the local network.

If allow_url_include is set to 1, the attacker will also have the ability to download and execute arbitrary PHP code.

How to fix it

allow_url_fopen and allow_url_include should be deactivated in the main PHP configuration file. Note that allow_url_include is disabled by default while allow_url_fopen is not and must be explicitly disabled.

Code examples

Noncompliant code example

; php.ini  Noncompliant; allow_url_fopen is enabled by default
allow_url_include=1  ; Noncompliant

Compliant solution

; php.ini
allow_url_fopen=0
allow_url_include=0

Resources

Standards

• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration
• CWE - CWE-16 - Inclusion of Functionality from Untrusted Control Sphere