From aldeid
Jump to navigation Jump to search

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')


File inclusion attack is specific to PHP language. It consists of exploiting PHP inclusions (include, require, require_once, ...) to include arbitrary pages and commands.

Let's take an example. Suppose a PHP application contains following code:

 * index.php?page=news

A normal use would be to include internal pages:

But an attacker could easily exploit it to include non-excepted pages within the same application (LFI):

or even worse, external pages from another site (RFI):

Read more: Local File Inclusion and Remote File Inclusion

Risk measurement

Weakness Prevalence Common
Remediation Cost Low to Medium
Attack Frequency Often
Consequences Code execution, Data loss
Ease of Detection Easy
Attacker Awareness High