CWE - COMPOSITE LIST: CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') (1.6)

Home > CWE List > COMPOSITE LIST: CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Definition in a New Window

Compound Element ID: 98 (Compound Element Base: Composite)

Status: Draft

Description

Description Summary

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Extended Description

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

Alternate Terms

PHP remote file inclusion

Time of Introduction

Implementation

Applicable Platforms

Languages

PHP

Observed Examples

Reference	Description
CVE-2004-0285	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2004-0030	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2004-0068	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2005-2157	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2005-2162	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2005-2198	Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
CVE-2004-0128	Modification of assumed-immutable variable in configuration script leads to file inclusion.
CVE-2005-1864	PHP file inclusion.
CVE-2005-1869	PHP file inclusion.
CVE-2005-1870	PHP file inclusion.
CVE-2005-2154	PHP local file inclusion.
CVE-2002-1704	PHP remote file include.
CVE-2002-1707	PHP remote file include.
CVE-2005-1964	PHP remote file include.
CVE-2005-1681	PHP remote file include.
CVE-2005-2086	PHP remote file include.
CVE-2004-0127	Directory traversal vulnerability in PHP include statement.
CVE-2005-1971	Directory traversal vulnerability in PHP include statement.
CVE-2005-3335	PHP file inclusion issue, both remote and local; local include uses ".." and "%00" characters as a manipulation, but many remote file inclusion issues probably have this vector.

Potential Mitigations

Phase	Description
	Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
CanPrecede	Weakness Class	94	Failure to Control Generation of Code ('Code Injection')	Development Concepts (primary)699 Research Concepts1000
Requires	Weakness Class	216	Containment Errors (Container Errors)	Research Concepts1000
Requires	Weakness Base	425	Direct Request ('Forced Browsing')	Research Concepts1000
CanAlsoBe	Compound Element: Composite	426	Untrusted Search Path	Research Concepts1000
Requires	Weakness Base	456	Missing Initialization	Research Concepts1000
Requires	Weakness Variant	473	PHP External Variable Modification	Research Concepts1000
ChildOf	Category	632	Weaknesses that Affect Files or Directories	Resource-specific Weaknesses (primary)631
ChildOf	Weakness Class	706	Use of Incorrectly-Resolved Name or Reference	Research Concepts (primary)1000
ChildOf	Category	714	OWASP Top Ten 2007 Category A3 - Malicious File Execution	Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOf	Category	727	OWASP Top Ten 2004 Category A6 - Injection Flaws	Weaknesses in OWASP Top Ten (2004) (primary)711
CanFollow	Weakness Class	73	External Control of File Name or Path	Research Concepts1000
CanFollow	Weakness Base	184	Incomplete Blacklist	Research Concepts1000

Relationship Notes

This is frequently a functional consequence of other weaknesses. It is usually multi-factor with other factors (e.g. MAID), although not all inclusion bugs involve assumed-immutable data. Direct request weaknesses frequently play a role.

Can overlap directory traversal in local inclusion problems.

Research Gaps

Under-researched and under-reported. Other interpreted languages with "require" and "include" functionality could also product vulnerable applications, but as of 2007, PHP has been the focus. Any web-accessible language that uses executable file extensions is likely to have this type of issue, such as ASP, since .asp extensions are typically executable. Languages such as Perl are less likely to exhibit these problems because the .pl extension isn't always configured to be executable by the web server.

Affected Resources

File/Directory

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			PHP File Include
OWASP Top Ten 2007	A3	CWE More Specific	Malicious File Execution

References

Shaun Clowes. "A Study in Scarlet". <http://www.cgisecurity.com/lib/studyinscarlet.txt>.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Relationship Notes, Research Gaps, Taxonomy Mappings
2009-01-12	CWE Content Team	MITRE	Internal
2009-01-12	updated Relationships
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Relationships
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Description, Name

Weakness Class Containment Errors (Container Errors) - (216)

Weakness Base Direct Request ('Forced Browsing') - (425)

Weakness Base Missing Initialization - (456)

Weakness Variant PHP External Variable Modification - (473)

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us