File inclusion

Description
  • This script is possibly vulnerable to file inclusion attacks. <br/><br/>It seems that this script includes a file which name is determined using user-supplied data. This data is not properly validated before being passed to the include function.
Remediation
  • Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list.<br/><br/> For PHP, the option <strong>allow_url_fopen</strong> would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. It is recommended to disable this option from php.ini.
References
Severity
Classification
Tags