What Is The Risk Of Having PHPs Allow Url Include Enabled?

PHP Logo

This setting is up there as one of the most dangerous settings you can have enabled on a web server. It will allow someone to potentially inject a tiny piece of code into your system that could in turn completely compromise your entire server. If you have some bad programming practices in place it could even mean someone could compromise your system without even having to inject code. If you are unsure whether you need this to be enabled the answer is likely NO! Disable it immediately.

What Does Allow URL Include Do?

When you are writing PHP scripts, it is possible to include another script by means of the include or require actions. A super simple example of this would be a crude web page.

This is a fairly common way to use the include and require commands. When you have allow url include enabled it allows you to use a URL as the string inside of the require or include commands. This will make PHP include a remote file directly into the executing script. If you have a script that does something incredibly stupid such as using a dynamic variable from user input as the value for an include, you are opening the door to a world of pain. Even if you are careful, this can still be crazy dangerous, simply because it is not something that any scanning tools would consider dangerous.

Lets just say someone hacks your WordPress website. They pick some random script in the WordPress core and add an include that will include a remote script that some hacker has placed on another location. On your server, it will be a tiny piece of code that doesn’t look scary at all. The script being included is where the damage is done.

Allow URL include is one of those things that has very few uses. When its needed its powerful, but 99% of the time, you could easily work around the need for it. It is highly recommended you disable this directive on your web server.

How To Disable Allow URL Include

You can disable this directive from within the php.ini file on your web server. Open this file and search for a line that contains “allow_url_include". Create or edit this line to read as follows. Make sure there is not a hash character (#) in front of this line or it will not apply. 


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.