PHP Remote File Inclusion |
Attack Pattern ID: 193 (Standard Attack Pattern Completeness: Stub) | Typical Severity: Very High | Status: Draft |
PHP Remote File Inclusion |
Attack Pattern ID: 193 (Standard Attack Pattern Completeness: Stub) | Typical Severity: Very High | Status: Draft |
Summary
In this pattern the attacker is able to load and execute an arbitrary PHP file. This is usually accomplished through an improperly sanitized "include" call, which the user can then control to point to any web-accessible file. This allows attackers to hijack the targeted application and force it to execute their own instructions.
The targeted PHP application must have a bug that allows an attacker to force it to include a user-specified code file.
The attacker needs to have enough access to the target application to control the identity of the included PHP file.
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') | Targeted |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to![]() |
---|---|---|---|---|---|
ChildOf | ![]() | 253 | Remote Code Inclusion | Mechanism of Attack (primary)1000 | |
ChildOf | ![]() | 338 | WASC Threat Classification 2.0 - WASC-05 - Remote File Inclusion | WASC Threat Classification 2.0333 |
Security-Database help your corporation foresee and avoid any security risks that may impact your IT infrastructure and business applications.