CWE - CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') (1.4)

Home > CWE List > CWE- Individual Dictionary Definition (1.4)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Individual Definition in a New Window

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Status: Draft

Compound Element ID: 98 (Compound Element Base: Composite)

Description

Summary

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Extended Description

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

Alternate Terms

PHP remote file inclusion

Time of Introduction

Implementation

Applicable Platforms

Languages

PHP

Observed Examples

Reference	Description
CVE-2002-1704	PHP remote file include.
CVE-2002-1707	PHP remote file include.
CVE-2004-0030	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2004-0068	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2004-0127	Directory traversal vulnerability in PHP include statement.
CVE-2004-0128	Modification of assumed-immutable variable in configuration script leads to file inclusion.
CVE-2004-0285	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2005-1681	PHP remote file include.
CVE-2005-1864	PHP file inclusion.
CVE-2005-1869	PHP file inclusion.
CVE-2005-1870	PHP file inclusion.
CVE-2005-1964	PHP remote file include.
CVE-2005-1971	Directory traversal vulnerability in PHP include statement.
CVE-2005-2086	PHP remote file include.
CVE-2005-2154	PHP local file inclusion.
CVE-2005-2157	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2005-2162	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2005-2198	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2005-3335	PHP file inclusion issue, both remote and local; local include uses ".." and "%00" characters as a manipulation, but many remote file inclusion issues probably have this vector.

Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	706	Use of Incorrectly-Resolved Name or Reference	Research Concepts (primary)1000
CanPrecede	Weakness Class	94	Failure to Control Generation of Code ('Code Injection')	Development Concepts (primary)699 Research Concepts1000
CanAlsoBe	Compound Element: Composite	426	Untrusted Search Path	Research Concepts1000
Requires	Weakness Base	456	Missing Initialization	Research Concepts1000
Requires	Weakness Variant	473	PHP External Variable Modification	Research Concepts1000
Requires	Weakness Base	425	Direct Request ('Forced Browsing')	Research Concepts1000
Requires	Weakness Class	216	Containment Errors (Container Errors)	Research Concepts1000
ChildOf	Category	632	Weaknesses that Affect Files or Directories	Resource-specific Weaknesses (primary)631
ChildOf	Category	714	OWASP Top Ten 2007 Category A3 - Malicious File Execution	Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOf	Category	727	OWASP Top Ten 2004 Category A6 - Injection Flaws	Weaknesses in OWASP Top Ten (2004) (primary)711
CanFollow	Weakness Base	184	Incomplete Blacklist	Research Concepts1000
CanFollow	Weakness Class	73	External Control of File Name or Path	Research Concepts1000

Relationship Notes

This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role.

Can overlap directory traversal in local inclusion problems.

Research Gaps

Under-researched and under-reported. Other interpreted languages with "require" and "include" functionality could also product vulnerable applications, but as of 2007, PHP has been the focus. Any web-accessible language that uses executable file extensions is likely to have this type of issue, such as ASP, since .asp extensions are typically executable. Languages such as Perl are less likely to exhibit these problems because the .pl extension isn't always configured to be executable by the web server.

Affected Resources

File/Directory

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			PHP File Include
OWASP Top Ten 2007	A3	CWE More Specific	Malicious File Execution

References

Shaun Clowes. "A Study in Scarlet". <http://www.cgisecurity.com/lib/studyinscarlet.txt>.

Content History

Submissions

PLOVER. (Externally Mined)

Modifications

Eric Dalci. Cigital. 2008-07-01. (External)

updated Time_of_Introduction

CWE Content Team. MITRE. 2008-09-08. (Internal)

updated Relationships, Relationship_Notes, Research_Gaps, Taxonomy_Mappings

CWE Content Team. MITRE. 2009-01-12. (Internal)

updated Relationships

CWE Content Team. MITRE. 2009-03-10. (Internal)

updated Relationships

CWE Content Team. MITRE. 2009-05-27. (Internal)

updated Description, Name

Previous Entry Names

PHP File Inclusion (changed 2008-04-11)

Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') (changed 2009-05-27)

Page Last Updated: May 26, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us