CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.4)  

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Individual Definition in a New Window
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Status: Draft
Compound Element ID: 98 (Compound Element Base: Composite)
+ Description
Summary

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Extended Description

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

+ Alternate Terms
PHP remote file inclusion
+ Time of Introduction
* Implementation
+ Applicable Platforms
Languages
PHP
+ Observed Examples
ReferenceDescription
PHP remote file include.
PHP remote file include.
Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
Directory traversal vulnerability in PHP include statement.
Modification of assumed-immutable variable in configuration script leads to file inclusion.
Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
PHP remote file include.
PHP file inclusion.
PHP file inclusion.
PHP file inclusion.
PHP remote file include.
Directory traversal vulnerability in PHP include statement.
PHP remote file include.
PHP local file inclusion.
Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
PHP file inclusion issue, both remote and local; local include uses ".." and "%00" characters as a manipulation, but many remote file inclusion issues probably have this vector.
+ Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness ClassWeakness Class706Use of Incorrectly-Resolved Name or Reference
Research Concepts (primary)1000
CanPrecedeWeakness ClassWeakness ClassWeakness Class94Failure to Control Generation of Code ('Code Injection')
Development Concepts (primary)699
Research Concepts1000
CanAlsoBeCompound Element: CompositeCompound Element: Composite426Untrusted Search Path
Research Concepts1000
RequiresWeakness BaseWeakness BaseWeakness Base456Missing Initialization
Research Concepts1000
RequiresWeakness VariantWeakness VariantWeakness Variant473PHP External Variable Modification
Research Concepts1000
RequiresWeakness BaseWeakness BaseWeakness Base425Direct Request ('Forced Browsing')
Research Concepts1000
RequiresWeakness ClassWeakness ClassWeakness Class216Containment Errors (Container Errors)
Research Concepts1000
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory714OWASP Top Ten 2007 Category A3 - Malicious File Execution
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory727OWASP Top Ten 2004 Category A6 - Injection Flaws
Weaknesses in OWASP Top Ten (2004) (primary)711
CanFollowWeakness BaseWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
CanFollowWeakness ClassWeakness ClassWeakness Class73External Control of File Name or Path
Research Concepts1000
+ Relationship Notes

This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role.

Can overlap directory traversal in local inclusion problems.

+ Research Gaps

Under-researched and under-reported. Other interpreted languages with "require" and "include" functionality could also product vulnerable applications, but as of 2007, PHP has been the focus. Any web-accessible language that uses executable file extensions is likely to have this type of issue, such as ASP, since .asp extensions are typically executable. Languages such as Perl are less likely to exhibit these problems because the .pl extension isn't always configured to be executable by the web server.

+ Affected Resources
* File/Directory
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVER  PHP File Include
OWASP Top Ten 2007A3CWE More SpecificMalicious File Execution
+ References
Shaun Clowes. "A Study in Scarlet". <http://www.cgisecurity.com/lib/studyinscarlet.txt>.
+ Content History
Submissions
PLOVER. (Externally Mined)
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Relationship_Notes, Research_Gaps, Taxonomy_Mappings
CWE Content Team. MITRE. 2009-01-12. (Internal)
updated Relationships
CWE Content Team. MITRE. 2009-03-10. (Internal)
updated Relationships
CWE Content Team. MITRE. 2009-05-27. (Internal)
updated Description, Name
Previous Entry Names
* PHP File Inclusion (changed 2008-04-11)
* Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion') (changed 2009-05-27)
Page Last Updated: May 26, 2009