Include vulnerability
Encyclopedia
A server-side include vulnerability is a vulnerability that may allow an attacker to execute arbitrary scripts
on a host server
by causing an existing script to include an arbitrary file. The vulnerability arises by allowing unchecked user data to be passed to include directives in scripting languages, such as PHP
.
may allow the application developer to include an external PHP script in the running script. If it is possible for the user to control arguments
to the include function, it may be possible for a malicious user to direct the vulnerable script to execute arbitrary code on the host server, allowing complete control of PHP execution on the host server.
The proper solution to this vulnerability is to modify the vulnerable code in order to prevent user control of file include directives.
A PHP include vulnerability may be partially mitigated in some cases by using PHP's allow_url_fopen and allow_url_include options in an effort to limit file inclusion to local files, but this may be evaded in some cases (e.g. by including Apache's logfile which may contain arbitrary PHP code).
Scripting language
A scripting language, script language, or extension language is a programming language that allows control of one or more applications. "Scripts" are distinct from the core code of the application, as they are usually written in a different language and are often created or at least modified by the...
on a host server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
by causing an existing script to include an arbitrary file. The vulnerability arises by allowing unchecked user data to be passed to include directives in scripting languages, such as PHP
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
.
A PHP example
In PHP,include
, require
and similar functionsSubroutine
In computer science, a subroutine is a portion of code within a larger program that performs a specific task and is relatively independent of the remaining code....
may allow the application developer to include an external PHP script in the running script. If it is possible for the user to control arguments
Parameter (computer science)
In computer programming, a parameter is a special kind of variable, used in a subroutine to refer to one of the pieces of data provided as input to the subroutine. These pieces of data are called arguments...
to the include function, it may be possible for a malicious user to direct the vulnerable script to execute arbitrary code on the host server, allowing complete control of PHP execution on the host server.
The proper solution to this vulnerability is to modify the vulnerable code in order to prevent user control of file include directives.
A PHP include vulnerability may be partially mitigated in some cases by using PHP's allow_url_fopen and allow_url_include options in an effort to limit file inclusion to local files, but this may be evaded in some cases (e.g. by including Apache's logfile which may contain arbitrary PHP code).
External links
- Remote File Inclusion Vulnerabilities The Web Application Security Consortium Threat Classification