what is the security risk for enabling "allow_url_include" in php.ini on the server ?

Discussion in 'Security' started by crazy.works, Mar 26, 2010.

  1. #1
    Hello, iam coding new php script, i need to use the url include inside that script, so i have to enable 'allow_url_include = On' in the 'php.ini' file on the Apache server....and that makes me wondering about those 2 important questions !!
    1. what is the security risk for the server after enabling this function ??
    2. what is the security risk for my php script after enabling this function and using it inside my script like this:-
    include('http://another-site.com/file.php');

    thanks
     
    crazy.works, Mar 26, 2010 IP
  2. zacharooni

    zacharooni Well-Known Member

    Messages:
    346
    Likes Received:
    20
    Best Answers:
    4
    Trophy Points:
    120
    #2
    Generally, you want this disabled because if you ever parse variables in any fopen() call or include() call, there's always a remote possibility that a malicious user could include a text or php script from their website, compromising your site. Better to use the cURL functions.
     
    zacharooni, Mar 29, 2010 IP
  3. nishant.soni

    nishant.soni Active Member

    Messages:
    323
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    55
    #3
    Should not go for it, critical reason:
    1. RFI - Remote file inclusion which could lead to straight deface.
    2. LFI - Local file inclusion - again could lead to straight deface.
     
    nishant.soni, Apr 2, 2010 IP
  4. showstopper

    showstopper Active Member

    Messages:
    34
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    76
    #4
    i never new that but some of the best scripts use one of the function fopen
     
    showstopper, Apr 19, 2010 IP