|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78005 Remote File Inclusion protection bypass in PHP version 7.1.29
Submitted: 2019-05-12 11:27 UTC Modified: 2019-05-13 15:40 UTC
From: manish1046 at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: Filter related
PHP Version: 7.1.29 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: manish1046 at gmail dot com
New email:
PHP Version: OS:


 [2019-05-12 11:27 UTC] manish1046 at gmail dot com
I was performing Remote File Inclusion attack against an following vulnerable code


In PHP.ini file, I changed the settings just for 'allow_url_fopen' and set it to "Off". 'allow_url_include' is also set to "Off". 

When I tried to include PHP code file hosted remotely (over HTTP), vulnerable code did not include the PHP code from remote URL.
But PHP has behaviour and it make request to SMB share even if it is hosted remotely.

Now, when I configured SMB share with anonymous read access enabled on it and hosted PHP code on that share, when asked PHP vulnerable code to including the PHP code hosted over SMB, it worked.
For example,\\remote_ip\share_name\shell.php

When performing this test, 'allow_url_fopen' and 'allow_url_include', both are set to "Off". 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-13 12:00 UTC]
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2019-05-13 12:00 UTC]
So basically vuln.php is doing:


Since UNC paths are not URLs, they are not subject to allow_url_*.
Am I missing something?
 [2019-05-13 12:14 UTC] manish1046 at gmail dot com
-Status: Feedback +Status: Assigned
 [2019-05-13 12:14 UTC] manish1046 at gmail dot com

Yes, you are right. 
So in this case PHP is not going to block the Remote URL inclusion? Is this the expected behaviour?

And one more thing, what if code is including URL from webdav URLs.
For example:




Again, in this case also PHP is not going to prevent it?

Thank You
 [2019-05-13 14:04 UTC]
-Status: Assigned +Status: Not a bug
 [2019-05-13 14:04 UTC]
PHP doesn't regard UNC file paths as URLs, so these are not
affected by the allow_url_* INI directives.
 [2019-05-13 15:40 UTC] manish1046 at gmail dot com
Oh. Thank You for your time and explanation.
Take care (y)
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Sep 26 23:05:52 2022 UTC