|
|
|
|
CWE-98 Individual Dictionary Definition (Draft 9)
Compound Element ID
| Status: Draft 98 (Compound Element Base: Composite) | | Description | Summary The software allows user-controlled data to be directly processed by the PHP
interpreter before inclusion in the script through use of "require," "include," or similar statements. | | Alternate Terms | PHP remote file inclusion | | Affected Resource | File/Directory | | Potential Mitigations | Assume all input is malicious. Use an appropriate combination of black lists and white
lists to ensure only valid and expected input is processed by the system. | | Observed Examples | | Reference | Description |
|---|
| CVE-2004-0285 | Modification of assumed-immutable configuration variable in include file allows file
inclusion via direct request. | | CVE-2004-0030 | Modification of assumed-immutable configuration variable in include file allows file
inclusion via direct request. | | CVE-2004-0068 | Modification of assumed-immutable configuration variable in include file allows file
inclusion via direct request. | | CVE-2005-2157 | Modification of assumed-immutable configuration variable in include file allows file
inclusion via direct request. | | CVE-2005-2162 | Modification of assumed-immutable configuration variable in include file allows file
inclusion via direct request. | | CVE-2005-2198 | Modification of assumed-immutable configuration variable in include file allows file
inclusion via direct request. | | CVE-2004-0128 | Modification of assumed-immutable variable in configuration script leads to file
inclusion. | | CVE-2005-1864 | PHP file inclusion. | | CVE-2005-1869 | PHP file inclusion. | | CVE-2005-1870 | PHP file inclusion. | | CVE-2005-2154 | PHP local file inclusion. | | CVE-2002-1704 | PHP remote file include. | | CVE-2002-1707 | PHP remote file include. | | CVE-2005-1964 | PHP remote file include. | | CVE-2005-1681 | PHP remote file include. | | CVE-2005-2086 | PHP remote file include. | | CVE-2004-0127 | Directory traversal vulnerability in PHP include statement. | | CVE-2005-1971 | Directory traversal vulnerability in PHP include statement. | | CVE-2005-3335 | PHP file inclusion issue, both remote and local; local include uses ".." and "%00"
characters as a manipulation, but many remote file inclusion issues probably have this vector. |
| | Context Notes | This is frequently a functional consequence of other weaknesses. It is usually
multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve
assumed-immutable data. Direct request weaknesses frequently play a role. Can overlap directory traversal in local inclusion problems. | | Research Gaps | Other interpreted languages with "require" and "include" functionality could also
product vulnerable applications, but as of 2007, PHP has been the focus. | | References | | | Relationships | | | Source Taxonomies | PLOVER - PHP File Include | | Applicable Platforms | PHP |
|