PHP open_basedir is NOT set

Description

This vulnerability was detected using the information from phpinfo() page.
If “open_basedir” is not set, there is no limit for the files to be opened by PHP to the specified directory tree, this means that you might be exposed to Remote File Inclusion.

Remote File Inclusion (RFI) vulnerability is a vulnerability in uncontrolled web applications that rely on script runtime. With the help of the vulnerability, an attacker could inject code into a Web server and run it remotely.

Recommendation

Set the “open_basedir” configuration directive from php.ini as follows :
open_basedir = my_app_directory

References

https://kayran.io/blog/vulnerabilities/remote-file-inclusion-rfi/

https://en.wikipedia.org/wiki/File_inclusion_vulnerability

< Return to all Vulnerabilities

What is Kayran

Kayran scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 9000 vulnerabilities.Kayran’s mission is to make

Read More »

What is a CWE ?

Similar to the article written on CVEs, in this article we will answer the questions :What is CWE ? and, what is the difference between

Read More »

APT vs. ATP

In this article we will talk about APT vs. ATP. In other words, Advanced Persistent Threat and Advanced Threat Protection and the context between these

Read More »