Urgent: Security Issue with PHP.ini Directive

GusNASA · March 29, 2024, 2:25am

I hope this message finds you well. I am writing to bring to your attention a potential security risk related to the PHP.ini directive on my hosting account.

Enabling the directive that allows for cross-site scripting (XSS) in the PHP.ini file can expose websites to significant security vulnerabilities. There is no valid reason to enable this directive, and using PHP code that requires it is highly risky.

I kindly request that you review and address this issue promptly to ensure the security and integrity of our website and data.

Thank you for your attention to this matter. I look forward to your prompt response and resolution.

Best regards,

allow_url_include = off

KangJL · March 29, 2024, 2:44am

Please do not use AI to post.
Whatever you have mentioned is not applicable to free hosting.
There is no PHP.ini and CORS is not allowed on free hosting as well.

Which account?

GusNASA · March 29, 2024, 2:47am

Thanks

GusNASA · March 29, 2024, 2:48am

My Account that I’m using now

GusNASA · March 29, 2024, 2:49am

But in this case, what can I do to avoid XSS attacks without the possibility of changing the file?

KangJL · March 29, 2024, 2:55am

This?

ChrisPAR · March 29, 2024, 5:19am

Where do you see this as being enabled? This has always been off, as far as I’m aware (with the most recent response from 9 days ago here):

Admin · March 29, 2024, 9:21am

If I create a small PHP file with these contents:

<?php
echo "allow_url_include setting: ".ini_get('allow_url_include')."<br>";

And then open it, I see:

allow_url_include setting: off

So the allow_url_include setting is already set to off. And as far as I know, it has always been that way.

What did you find that made you suspect otherwise? Do you have any code, website or URL that proves that this vulnerability exists?

system · April 5, 2024, 2:29pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.