Naziv
|
PHP Remote File Inclusion
|
Sažetak
|
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
|
Preduvjeti
|
Target application server must allow remote files to be included in the "require", "include", etc. PHP directives|The adversary must have the ability to make HTTP requests to the target web application.
|
Rješenja
|
['Implementation: Perform input validation for all remote content, including remote and user-generated content', 'Implementation: Only allow known files to be included (allowlist)', 'Implementation: Make use of indirect references passed in URL parameters instead of file names', 'Configuration: Ensure that remote scripts cannot be include in the "include" or "require" PHP directives']
|