|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78005 Remote File Inclusion protection bypass in PHP version 7.1.29
Submitted: 2019-05-12 11:27 UTC Modified: 2019-05-13 15:40 UTC
From: manish1046 at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: Filter related
PHP Version: 7.1.29 OS: Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: manish1046 at gmail dot com
New email:
PHP Version: OS:


 [2019-05-12 11:27 UTC] manish1046 at gmail dot com
I was performing Remote File Inclusion attack against an following vulnerable code


In PHP.ini file, I changed the settings just for 'allow_url_fopen' and set it to "Off". 'allow_url_include' is also set to "Off". 

When I tried to include PHP code file hosted remotely (over HTTP), vulnerable code did not include the PHP code from remote URL.
But PHP has behaviour and it make request to SMB share even if it is hosted remotely.

Now, when I configured SMB share with anonymous read access enabled on it and hosted PHP code on that share, when asked PHP vulnerable code to including the PHP code hosted over SMB, it worked.
For example,\\remote_ip\share_name\shell.php

When performing this test, 'allow_url_fopen' and 'allow_url_include', both are set to "Off". 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-13 12:00 UTC]
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2019-05-13 12:00 UTC]
So basically vuln.php is doing:


Since UNC paths are not URLs, they are not subject to allow_url_*.
Am I missing something?
 [2019-05-13 12:14 UTC] manish1046 at gmail dot com
-Status: Feedback +Status: Assigned
 [2019-05-13 12:14 UTC] manish1046 at gmail dot com

Yes, you are right. 
So in this case PHP is not going to block the Remote URL inclusion? Is this the expected behaviour?

And one more thing, what if code is including URL from webdav URLs.
For example:




Again, in this case also PHP is not going to prevent it?

Thank You
 [2019-05-13 14:04 UTC]
-Status: Assigned +Status: Not a bug
 [2019-05-13 14:04 UTC]
PHP doesn't regard UNC file paths as URLs, so these are not
affected by the allow_url_* INI directives.
 [2019-05-13 15:40 UTC] manish1046 at gmail dot com
Oh. Thank You for your time and explanation.
Take care (y)
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Dec 07 13:03:50 2022 UTC