allow_url_fopen
Test Description
This test checks to see if allow_url_fopen is enabled.Security Implications
If enabled, allow_url_fopen allows PHP's file functions -- such asfile_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.allow_url_fopen is on by default.
Recommendations
You should disable allow_url_fopen in the php.ini file:; Disable allow_url_fopen for security reasons allow_url_fopen = 'off'The setting can also be disabled in apache's httpd.conf file:
# Disable allow_url_fopen for security reasons php_flag allow_url_fopen offFor remote file access, consider using the cURL functions that PHP provides.
More Information
- PHP.net manual: allow_url_fopen
- PHP.net manual: Using remote files
- PHP.net manual: CURL, Client URL Library Functions
REFERENCES
http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html
http://www.google.ca/#q=allow_url_fopen+on&hl=en&prmd=df&ei=bjJjTMTmDszGOP6CpbsK&start=0&sa=N&fp=e6a957a020d2d8f6
