84 lines
2.4 KiB
Plaintext
84 lines
2.4 KiB
Plaintext
File access functions in PHP are typically used to open local files. They are
|
|
also capable of reading files from remote servers using protocols such as HTTP,
|
|
HTTPS and FTP.
|
|
|
|
This behavior is controlled by the `allow_url_fopen` and `allow_url_include`
|
|
settings.
|
|
|
|
== Why is this an issue?
|
|
|
|
Most applications do not require or expect the file access functions to download
|
|
remotely accessible files. However, attackers can abuse these remote file access
|
|
features while exploiting other vulnerabilities, such as path traversal issues.
|
|
|
|
=== What is the potential impact?
|
|
|
|
While activating these settings does not pose a direct threat to the
|
|
application's security, they can make the exploitation of other vulnerabilities
|
|
easier and more severe.
|
|
|
|
If an attacker can control a file location while `allow_url_fopen` is set
|
|
to `1`, they can use this ability to perform a Server-Side Request Forgery
|
|
exploit. This allows the attacker to affect more than just the local application
|
|
and they may be able to laterally attack other assets on the local network.
|
|
|
|
If `allow_url_include` is set to `1`, the attacker will also have the ability to
|
|
download and execute arbitrary PHP code.
|
|
|
|
== How to fix it
|
|
|
|
`allow_url_fopen` and `allow_url_include` should be deactivated in the main PHP
|
|
configuration file. Note that `allow_url_include` is disabled by default while
|
|
`allow_url_fopen` is not and must be explicitly disabled.
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
; php.ini Noncompliant; allow_url_fopen is enabled by default
|
|
allow_url_include=1 ; Noncompliant
|
|
----
|
|
|
|
|
|
==== Compliant solution
|
|
|
|
[source,php,diff-id=1,diff-type=compliant]
|
|
----
|
|
; php.ini
|
|
allow_url_fopen=0
|
|
allow_url_include=0
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
=== Standards
|
|
|
|
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
|
|
* CWE - https://cwe.mitre.org/data/definitions/829[CWE-16 - Inclusion of Functionality from Untrusted Control Sphere]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Disable "xxx".
|
|
* Disable "allow_url_fopen" explicitly; it is enabled by default.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 1 Sep 2015, 07:42:52 Linda Martin wrote:
|
|
LGTM!
|
|
|
|
endif::env-github,rspecator-view[]
|