DerScanner
Home / Vulnerability Database / PHP : Remote file operation
PHP

PHP : Remote file operation

Classification

OWASP ASVS
Files and ResourcesFiles and Resources
HIPAA
§164.312 (e)(2)(i)
CWE
CWE-94

Overview

The application uses remote files. This can allow an attacker to inject malicious content.

Parameter allow_url_fopen allows PHP functions that take the path to the file as a parameter to accept URLs of files, which are available via HTTP or FTP. If an attacker controls this URL, he/she may inject malicious content into the application.

Parameter allow_url_include allows PHP functions which specify the file for the connection (for example, include() and require()) to accept a URL of a file available via HTTP or FTP.

References

  1. CWE-94: Improper Control of Generation of Code (‘Code Injection’)
  2. Runtime Configuration - php.net
MEDIUM

DerScanner Severity Score

Do you want to fix PHP : Remote file operation in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt