界: Environment

本节包括的所有内容均与源代码无关，但对所创建产品的安全性仍然至关重要。因为本节涉及的问题与源代码没有直接关系，所以我们将它与其他章节分开。

PHP Misconfiguration: allow_url_include Enabled

Abstract

包含那些引用远程文件的指令可能会造成攻击者将恶意内容注入程序中。

Explanation

如果启用 allow_url_include 选项，会导致用于指定在当前页面包含某个文件的 PHP 函数，如 include() 和 require()，接受指向远程文件的 HTTP 或 FTP URL。该选项是在 PHP 5.2.0 中引入的，并且默认情况下被禁用，由于它可能会导致攻击者将恶意内容引入程序中，因此具有危险性。最理想的情况是，攻击者篡改了远程文件来引入恶意内容，因此包含远程文件导致应用程序容易受到攻击。最糟糕的情况是，攻击者控制了应用程序用来指定要包含的远程文件的 URL，这样一来，攻击者就可以将一个 URL 提供给远程服务器，从而可以将任意恶意内容注入应用程序中。

References

[1] M. Achour et al. PHP Manual

[2] Standards Mapping - Common Weakness Enumeration CWE ID 94

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094

[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094

[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094

[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution

[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.3

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[33] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.php.php_misconfiguration_allow_url_include