|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78005 Remote File Inclusion protection bypass in PHP version 7.1.29
Submitted: 2019-05-12 11:27 UTC Modified: 2019-05-13 15:40 UTC
From: manish1046 at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: Filter related
PHP Version: 7.1.29 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
15 + 26 = ?
Subscribe to this entry?

 [2019-05-12 11:27 UTC] manish1046 at gmail dot com
I was performing Remote File Inclusion attack against an following vulnerable code


In PHP.ini file, I changed the settings just for 'allow_url_fopen' and set it to "Off". 'allow_url_include' is also set to "Off". 

When I tried to include PHP code file hosted remotely (over HTTP), vulnerable code did not include the PHP code from remote URL.
But PHP has behaviour and it make request to SMB share even if it is hosted remotely.

Now, when I configured SMB share with anonymous read access enabled on it and hosted PHP code on that share, when asked PHP vulnerable code to including the PHP code hosted over SMB, it worked.
For example,\\remote_ip\share_name\shell.php

When performing this test, 'allow_url_fopen' and 'allow_url_include', both are set to "Off". 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-13 12:00 UTC]
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2019-05-13 12:00 UTC]
So basically vuln.php is doing:


Since UNC paths are not URLs, they are not subject to allow_url_*.
Am I missing something?
 [2019-05-13 12:14 UTC] manish1046 at gmail dot com
-Status: Feedback +Status: Assigned
 [2019-05-13 12:14 UTC] manish1046 at gmail dot com

Yes, you are right. 
So in this case PHP is not going to block the Remote URL inclusion? Is this the expected behaviour?

And one more thing, what if code is including URL from webdav URLs.
For example:




Again, in this case also PHP is not going to prevent it?

Thank You
 [2019-05-13 14:04 UTC]
-Status: Assigned +Status: Not a bug
 [2019-05-13 14:04 UTC]
PHP doesn't regard UNC file paths as URLs, so these are not
affected by the allow_url_* INI directives.
 [2019-05-13 15:40 UTC] manish1046 at gmail dot com
Oh. Thank You for your time and explanation.
Take care (y)
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Dec 07 13:03:50 2022 UTC