What Is The Risk Of Having PHPs allow_url_include Enabled?

By On
I'm not really sure what this setting even does but it is flagged as being really dangerous. Why is it dangerous to have allow_url_include  on a webserver running PHP as the main language and how are you supposed to disable it?

1 Answer

- Advertisment -
SEMrush
Answered By Dan On

This setting is up there as one of the most dangerous settings you can have enabled on a web server. It will allow someone to potentially inject a tiny piece of code into your system that could in turn completely compromise your entire server. If you have some bad programming practices in place it could even mean someone could compromise your system without even having to inject code. If you are unsure whether you need this to be enabled the answer is likely NO! Disable it immediately.

What Does Allow URL Include Do?

When you are writing PHP scripts, it is possible to include another script by means of the include or require actions. A super simple example of this would be a crude web page.

require "database.php";
include "header.php";
?>
<h1>My web page</h1>
<?php
include "footer.php";

This is a fairly common way to use the include and require commands. When you have allow_url_include enabled it allows you to use a URL as the string inside of the require or include commands. This will make PHP include a remote file directly into the executing script. If you have a script that does something incredibly stupid such as using a dynamic variable from user input as the value for an include, you are opening the door to a world of pain. Even if you are careful, this can still be crazy dangerous, simply because it is not something that any scanning tools would consider dangerous.

Let's just say someone hacks your Wordpress website. They pick some random script in the Wordpress core and add an include that will include a remote script that some hacker has placed on another location. On your server, it will be a tiny piece of code that doesn't look scary at all. The script being included is where the damage is done.

Allow URL include is one of those things that has very few uses. When it's needed, it's powerful, but 99% of the time, you could easily work around the need for it. It is highly recommended you disable this directive on your web server.

How To Disable Allow URL Include

You can disable this directive from within the php.ini file on your web server. Open this file and search for a line that contains "allow_url_include". Create or edit this line to read as follows. Make sure there is not a hash character (#) in front of this line or it will not apply.

allow_url_include = Off