PHP Remote File Inclusion
Attack Pattern ID: 193 (Standard Attack Pattern Completeness: Stub)Typical Severity: Very HighStatus: Draft
+ Description


In this pattern the attacker is able to load and execute an arbitrary PHP file. This is usually accomplished through an improperly sanitized "include" call, which the user can then control to point to any web-accessible file. This allows attackers to hijack the targeted application and force it to execute their own instructions.

+ Attack Prerequisites

The targeted PHP application must have a bug that allows an attacker to force it to include a user-specified code file.

+ Resources Required

The attacker needs to have enough access to the target application to control the identity of the included PHP file.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')Targeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory253Remote Code Inclusion 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory338WASC Threat Classification 2.0 - WASC-05 - Remote File Inclusion 
WASC Threat Classification 2.0333