Home >Backend Development >PHP Tutorial >Application and explanation of php allow_url_include_PHP tutorial
For this reason, many security researchers recommend disabling pointing to allow_url_fopen in the php.ini configuration. Unfortunately, many people who recommend this approach do not realize that it will break many applications and is not a 100% guarantee against remote URL includes and the insecurity they bring.
Frequently, users request that PHP allow disabling URL inclusion and request declaration support when they use other file system functions.
For this reason, allow_url_include is planned to be available in PHP6. Following these discussions, these features were backported in php5.2.0. Now most security researchers have changed their advice and only advise people to disable allow_url_include.
Unfortunately, allow_url_fopen and allow_url_include are not the cause of the problem. On the one hand, including local files in an application is still dangerous enough, because attackers often obtain PHP code through sessiondata, fileupload, logfiles,... etc.
On the other hand allow_url_fopen and allow_url_include only protect against URL handles marked as URLs. This affects http(s) and ftp(s) but does not affect php or date (new in php5.2.0) urls. These url forms , you can perform php code injection very simply.
Example 1: Use php://input to read the POST data
// Insecure Include // The following Include statement will // include and execute everything POSTed // to the server
?> |
Example 2: Use data: to Include arbitrary code
<?php // Insecure Include // The following Include statement will // include and execute the base64 encoded // payload. Here this is just phpinfo() include "data:;base64,PD9waHAgcGhwaW5mbygpOz8+"; ?> |
// Insecure Include // The following Include statement will // include and execute the base64 encoded // payload. Here this is just phpinfo() include "data:;base64,PD9waHAgcGhwaW5mbygpOz8+"; |
For this reason, many security researchers recommend disabling pointing to allow_url_fopen in the php.ini configuration. Unfortunately, many people who recommend this approach don't realize that it undermines...