File inclusion

File inclusion

Published on 2004-03-27. Updated on 2009-04-22.

Description:
This script is possibly vulnerable to file inclusion attacks.

It seems that this script includes a file which name is determined using user-supplied data. This data is not properly validated before being passed to the include function.

Impact:
It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with the privileges of the webserver.

Recommendation:
Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list.

For PHP, the option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. It is recommended to disable this option from php.ini.

Tags: Parameter manipulation,File inclusion

Alert Tags: file_inclusion
ApplicableApplicationServer : All
ApplicableOS: All
ApplicableWebServer: All

References:

PHP - Using remote files

Code Injection Vulnerabilities Explained

OWASP PHP Top 5

Go Back

• Product Information
• Download
• Product Tour
• Brochure (PDF)
• Pricing
• Testimonials
• Customer references
• Resell Acunetix
• Acunetix in the Press
• List of vulnerability checks

• Learn more
• SQL Injection
• Cross site scripting
• Web Security
• Directory Traversal
• Ajax Application Security
• Google Hacking