Most applications do not require or expect the file access functions to download remotely accessible files. However, attackers can abuse these
remote file access features while exploiting other vulnerabilities, such as path traversal issues.
What is the potential impact?
While activating these settings does not pose a direct threat to the application’s security, they can make the exploitation of other
vulnerabilities easier and more severe.
If an attacker can control a file location while allow_url_fopen is set to 1, they can use this ability to perform a
Server-Side Request Forgery exploit. This allows the attacker to affect more than just the local application and they may be able to laterally attack
other assets on the local network.
If allow_url_include is set to 1, the attacker will also have the ability to download and execute arbitrary PHP code.
