PHP code injection

PHP code injection

Published on 2005-10-18. Updated on 2009-04-22.

Description:
This script is vulnerable to PHP code injection.

PHP code injection is a vulnerability that allows an attacker to inject custom code into the server side scripting engine. This vulnerability occurs when an attacker can control all or part of an input string that is fed into an eval() function call. Eval will execute the argument as code.

Impact:
Malicious users may inject PHP code which will be executed on the server side. It's possible to run system commands if the PHP interpreter allows system() or similar functions.

Recommendation:
Your script should properly sanitize user input.

Tags: Parameter manipulation,PHP code injection

Alert Tags: code_execution
ApplicableApplicationServer : All
ApplicableOS: All
ApplicableWebServer: All

References:

Dynamic Evaluation Vulnerabilities in PHP applications

OWASP PHP Top 5

Go Back

• Product Information
• Download
• Product Tour
• Brochure (PDF)
• Pricing
• Testimonials
• Customer references
• Resell Acunetix
• Acunetix in the Press
• List of vulnerability checks

• Learn more
• SQL Injection
• Cross site scripting
• Web Security
• Directory Traversal
• Ajax Application Security
• Google Hacking