allow_url_include Enabled

Description

This vulnerability was detected using the information from phpinfo() page.
When the “allow_url_include” option is enabled, it is possible to retrieve data from remote places such as servers for uploading files (FTP) or websites using functions like “fopen”.
If a user’s input is not being validated properly, we may be exposed to “remote file inclusion vulnerabilities”.

This may have several different consequences, depending on the included functionality, some examples are :

  • Injection of malicious malware.
  • Information exposure by granting excessive privileges or permissions to the untrusted sources or functions.
  • Stealing user’s saved session data (Cookies).

Recommendation

Disable “allow_url_include” from :

  • For php.ini : allow_url_include = ‘off’
  • For .htaccess : php_flag allow_url_include off.

References

https://www.php.net/manual/en/filesystem.configuration.php

< Return to all Vulnerabilities

Passwords 101

Unlike basketballs, “passwords” are things we don’t want to be passed around, especially in a society built around the idea that “mystery” is appealing. We

Read More »

Browser Exploitation

We know that it’s possible to exploit weaknesses (or vulnerabilities) that exist in anything, from a certain code to the entire application, let’s talk about

Read More »

APT vs. ATP

In this article we will talk about APT vs. ATP. In other words, Advanced Persistent Threat and Advanced Threat Protection and the context between these

Read More »

Crossing Scripts – XSS

Injections. SQL Injections. Cross-site Scripting (hence the amazing title “Crossing Scripts – XSS”). There all sorts of Injection-Based attacks, if you want to read about

Read More »