Wednesday, July 13, 2011

How to enable allow_url_fopen for a single domain on a cPanel server?

SkyHi @ Wednesday, July 13, 2011

The way to enable allow_url_fopen on a phpsuexec and a non-phpsuexec server is different. For security reasons the option is mostly disabled server wide, however, you can turn it ON for a single domain/account incase it is required.

Here how it needs to be done.
  • On a non phpsuexec server:
Goto the /usr/local/apache/conf/ directory,
# cd /usr/local/apache/conf/
see if you have a “userdata” directory there? If not, create the “userdata/<username>” directory and then the file allowurl.conf inside it. So the complete path should look like:
# pico /usr/local/apache/conf/userdata/<username>/allowurl.conf
and add the following to the file
<IfModule mod_php5.c>
 php_admin_value allow_url_fopen On
 php_admin_value allow_url_include On
Now, edit the Apache configuration file and scroll down to the VirtualHost entry of the domain. Include the path of the above created file in it, as shown below:
Include "/usr/local/apache/conf/userdata/<username>/allowurl.conf"
Save the file and rebuild the apache configuration
# /usr/local/cpanel/bin/apache_conf_distiller --update
# /usr/local/cpanel/bin/build_apache_conf
# /scripts/restartsrv httpd
This will enable allow_url_fopen for that domain.
  • On a PhpSuExec Or SuPHP server:

On a SuPHP enabled server, turning ON allow_url_fopen in the VirtualHost entry won’t work since PHP is not working as a Apache Handler anymore.
In such a case, copy the global php.ini of the server under directory of the domain, say public_html (you need to copy php.ini to the directory, where your script with allow_url_fopen resides)
# cp /usr/local/lib/php.ini /home/<username>/public_html/
Edit the new php.ini file and enable allow_url_fopen in it
allow_url_fopen = On
Save the file. Thats it.
BTW, replace “<username>” with the actual username of the domain wherever stated


The PHP option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. For security reasons, AUSWEB has disabled this feature; however, a feature-rich alternative exists in the form of the bundled cURL library

Server-Side Includes
Many developers include files by pointing to a remote URL, even if the file is within the local system. For example:
<?php include(""); ?>
With allow_url_fopen disabled, this method will not work. Instead, the file must be included with a local path, and there are three methods of doing this:
  1. By using a relative path, such as ../includes/example_include.php.
  2. By using an absolute path (also known as relative-from-root), such as /home/username/
  3. By using the PHP environment variable $_SERVER['DOCUMENT_ROOT'], which returns the absolute path to the web root directory. This is by far the best (and most portable) solution. The example that follows shows the environment variable in action:

Processing Differences (and passing variables to an included file)
It is worth mentioning that the alternative solutions presented here will result in a difference in the way the include() function is handled. The alternative solutions all return the PHP code from the included page; however, the now-unavailable remote URL method returns the result from the included page. One result of this behavior is that you cannot pass a querystring using the alternative solutions. You define the variables locally before performing the include:

To achieve the effect of this:
<?php include(""); ?>

You must instead use this:
$var = "example";

Example exploitation
If allow_url_fopen is enabled, this system can be exploited by simply changing the value of the variable in the querystring: