rspec/rules/S3334/php/rule.adoc

File access functions in PHP are typically used to open local files. They are
also capable of reading files from remote servers using protocols such as HTTP,
HTTPS and FTP.

This behavior is controlled by the `allow_url_fopen` and `allow_url_include`
settings.

== Why is this an issue?

Most applications do not require or expect the file access functions to download
remotely accessible files. However, attackers can abuse these remote file access
features while exploiting other vulnerabilities, such as path traversal issues.

=== What is the potential impact?

While activating these settings does not pose a direct threat to the
application's security, they can make the exploitation of other vulnerabilities
easier and more severe.

If an attacker can control a file location while `allow_url_fopen` is set
to `1`, they can use this ability to perform a Server-Side Request Forgery
exploit. This allows the attacker to affect more than just the local application
and they may be able to laterally attack other assets on the local network.

If `allow_url_include` is set to `1`, the attacker will also have the ability to
download and execute arbitrary PHP code.

== How to fix it

`allow_url_fopen` and `allow_url_include` should be deactivated in the main PHP
configuration file. Note that `allow_url_include` is disabled by default while
`allow_url_fopen` is not and must be explicitly disabled.

=== Code examples

==== Noncompliant code example

[source,php,diff-id=1,diff-type=noncompliant]
----
; php.ini  Noncompliant; allow_url_fopen is enabled by default
allow_url_include=1  ; Noncompliant
----


==== Compliant solution

[source,php,diff-id=1,diff-type=compliant]
----
; php.ini  
allow_url_fopen=0
allow_url_include=0
----


== Resources

=== Standards

* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* CWE - https://cwe.mitre.org/data/definitions/829[CWE-16 - Inclusion of Functionality from Untrusted Control Sphere]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Disable "xxx".
* Disable "allow_url_fopen" explicitly; it is enabled by default.


'''
== Comments And Links
(visible only on this page)

=== on 1 Sep 2015, 07:42:52 Linda Martin wrote:
LGTM!

endif::env-github,rspecator-view[]
Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			`File access functions in PHP are typically used to open local files. They are`
			`also capable of reading files from remote servers using protocols such as HTTP,`
			`HTTPS and FTP.`

			This behavior is controlled by the `allow_url_fopen` and `allow_url_include`
			`settings.`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			`Most applications do not require or expect the file access functions to download`
			`remotely accessible files. However, attackers can abuse these remote file access`
			`features while exploiting other vulnerabilities, such as path traversal issues.`

			`=== What is the potential impact?`

			`While activating these settings does not pose a direct threat to the`
			`application's security, they can make the exploitation of other vulnerabilities`
			`easier and more severe.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			If an attacker can control a file location while `allow_url_fopen` is set
			to `1`, they can use this ability to perform a Server-Side Request Forgery
			`exploit. This allows the attacker to affect more than just the local application`
			`and they may be able to laterally attack other assets on the local network.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			If `allow_url_include` is set to `1`, the attacker will also have the ability to
			`download and execute arbitrary PHP code.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			`== How to fix it`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			`allow_url_fopen` and `allow_url_include` should be deactivated in the main PHP
			configuration file. Note that `allow_url_include` is disabled by default while
			`allow_url_fopen` is not and must be explicitly disabled.
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			`=== Code examples`

			`==== Noncompliant code example`

			`[source,php,diff-id=1,diff-type=noncompliant]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			`; php.ini Noncompliant; allow_url_fopen is enabled by default`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`allow_url_include=1 ; Noncompliant`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			`==== Compliant solution`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			`[source,php,diff-id=1,diff-type=compliant]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`; php.ini`
			`allow_url_fopen=0`
			`allow_url_include=0`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify S3334: Change text to LaYC (APPSEC-1219) (#3334) 2023-10-25 09:38:17 +02:00			`=== Standards`

			`* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]`
			`* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]`
			`* CWE - https://cwe.mitre.org/data/definitions/829[CWE-16 - Inclusion of Functionality from Untrusted Control Sphere]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`* Disable "xxx".`
			`* Disable "allow_url_fopen" explicitly; it is enabled by default.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 1 Sep 2015, 07:42:52 Linda Martin wrote:`
			`LGTM!`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`