CWE
Home > CWE List > CWE-98 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-98 Individual Dictionary Definition (Draft 9)

Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')
Compound Element ID
Status: Draft

98 (Compound Element Base: Composite)

Description

Summary

The software allows user-controlled data to be directly processed by the PHP interpreter before inclusion in the script through use of "require," "include," or similar statements.

Alternate Terms

PHP remote file inclusion

Affected Resource

File/Directory

Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system.

Observed Examples
ReferenceDescription
CVE-2004-0285Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2004-0030Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2004-0068Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2005-2157Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2005-2162Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2005-2198Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2004-0128Modification of assumed-immutable variable in configuration script leads to file inclusion.
CVE-2005-1864PHP file inclusion.
CVE-2005-1869PHP file inclusion.
CVE-2005-1870PHP file inclusion.
CVE-2005-2154PHP local file inclusion.
CVE-2002-1704PHP remote file include.
CVE-2002-1707PHP remote file include.
CVE-2005-1964PHP remote file include.
CVE-2005-1681PHP remote file include.
CVE-2005-2086PHP remote file include.
CVE-2004-0127Directory traversal vulnerability in PHP include statement.
CVE-2005-1971Directory traversal vulnerability in PHP include statement.
CVE-2005-3335PHP file inclusion issue, both remote and local; local include uses ".." and "%00" characters as a manipulation, but many remote file inclusion issues probably have this vector.
Context Notes

This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role.

Can overlap directory traversal in local inclusion problems.

Research Gaps

Other interpreted languages with "require" and "include" functionality could also product vulnerable applications, but as of 2007, PHP has been the focus.

References

Shaun Clowes. "A Study in Scarlet". <http://www.cgisecurity.com/lib/studyinscarlet.txt>.

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class94Code Injection
CanAlsoBeCompound Element: CompositeCompound Element: Composite426Untrusted Search Path
RequiresWeakness BaseWeakness BaseWeakness Base456Missing Initialization
RequiresWeakness VariantWeakness VariantWeakness Variant473PHP External Variable Modification
RequiresWeakness BaseWeakness BaseWeakness Base425Direct Request ('Forced Browsing')
RequiresWeakness ClassWeakness ClassWeakness Class216Containment Errors (Container Errors)
ChildOfViewView629
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
CanFollowWeakness BaseWeakness BaseWeakness Base184Incomplete Blacklist
CanFollowWeakness VariantWeakness VariantWeakness Variant473PHP External Variable Modification
Source Taxonomies

PLOVER - PHP File Include

Applicable Platforms

PHP

Back to top
Page Last Updated: April 22, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us