Name PHP Remote File Inclusion
Summary In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
Prerequisites Target application server must allow remote files to be included in the "require", "include", etc. PHP directives The adversary must have the ability to make HTTP requests to the target web application.
Solutions Implementation: Perform input validation for all remote content, including remote and user-generated content Implementation: Only allow known files to be included (whitelist) Implementation: Make use of indirect references passed in URL parameters instead of file names Configuration: Ensure that remote scripts cannot be include in the "include" or "require" PHP directives
Related Weaknesses
CWE ID Description
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-714 OWASP Top Ten 2007 Category A3 - Malicious File Execution
Back to Top