Monday, February 4, 2013

allow_url_include

Test Description

This test checks to see if allow_url_include is enabled. Note that this setting is only available since PHP 5.2, so the test will not run if you have an older verion.

Security Implications

If disabled, allow_url_include bars remote file access via the include and require statements, but leaves it available for other file functions like fopen() and file_get_contents. include and require are the most common attack points for code injection attempts, so this setting plugs that particular hole without affecting the remote file access capabilities of the standard file functions.
Note that at this point we still recommend disabling allow_url_fopen as well, but developers who are confident in their secure coding practices may want to leave allow_url_fopen enabled.
By default, allow_url_include is disabled. If allow_url_fopen is disabled, allow_url_include is also disabled.

Recommendations

By default, allow_url_include is disabled. We strongly recommend keeping it disabled.
You can disable allow_url_include in the php.ini file:
; Disable allow_url_include for security reasons
allow_url_include = 'off'
The setting can also be disabled in apache's httpd.conf file:
# Disable allow_url_include for security reasons
php_flag  allow_url_include  off
For remote file access, consider using the cURL functions that PHP provides.

No comments:

Post a Comment