Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Definition in a New Window
Compound Element ID: 98 (Compound Element Base: Composite)
Status: Draft
Description
Description Summary
The PHP application receives input from an upstream component,
but it does not restrict or incorrectly restricts the input before its usage in
"require," "include," or similar functions.
Extended Description
In certain versions and configurations of PHP, this can allow an attacker
to specify a URL to a remote location from which the software will obtain
the code to execute. In other cases in association with path traversal, the
attacker can specify a local file that may contain executable statements
that can be parsed by PHP.
PHP file inclusion issue, both remote and local;
local include uses ".." and "%00" characters as a manipulation, but many
remote file inclusion issues probably have this
vector.
Potential Mitigations
Phase
Description
Assume all input is malicious. Use an appropriate combination of black
lists and white lists to ensure only valid and expected input is
processed by the system.
This is frequently a functional consequence of other weaknesses. It is
usually multi-factor with other factors (e.g. MAID), although not all
inclusion bugs involve assumed-immutable data. Direct request weaknesses
frequently play a role.
Can overlap directory traversal in local inclusion problems.
Research Gaps
Under-researched and under-reported. Other interpreted languages with
"require" and "include" functionality could also product vulnerable
applications, but as of 2007, PHP has been the focus. Any web-accessible
language that uses executable file extensions is likely to have this type of
issue, such as ASP, since .asp extensions are typically executable.
Languages such as Perl are less likely to exhibit these problems because the
.pl extension isn't always configured to be executable by the web
server.
This tries to cover various problems in which improper data are
included within a "container."
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Potential Mitigations
Phase
Description
Compartmentalize your system to have "safe" areas where trust
boundaries can be unambiguously drawn. Do not allow sensitive data to go
outside of the trust boundary and always be careful when interfacing
with a compartment outside of the safe area.
The web application fails to adequately enforce appropriate
authorization on all restricted URLs, scripts or files.
Extended Description
Web applications susceptible to direct request attacks often make the
false assumption that such resources can only be reached through a given
navigation path and so only apply authorization at certain points in the
path.
Alternate Terms
forced browsing:
The "forced browsing" term could be misinterpreted to include
weaknesses such as CSRF or XSS, so its use is discouraged.
Time of Introduction
Architecture and Design
Implementation
Operation
Applicable Platforms
Languages
All
Demonstrative Examples
Example 1
If forced browsing is possible, an attacker may be able to directly
access a sensitive page by entering a URL similar to the
following.
Overlaps Modification of Assumed-Immutable Data (MAID), authorization
errors, container errors; often primary to other weaknesses such as XSS and
SQL injection.
Theoretical Notes
"Forced browsing" is a step-based manipulation involving the omission of
one or more steps, whose order is assumed to be immutable. The application
does not verify that the first step was performed successfully before the
second step. The consequence is typically "authentication bypass" or "path
disclosure," although it can be primary to all kinds of weaknesses,
especially in languages such as PHP, which allow external modification of
assumed-immutable variables.
Array variable not initialized in PHP application,
leading to resultant SQL injection.
Potential Mitigations
Phase
Description
Check that critical variables are initialized.
Use a static analysis tool to spot non-initialized variables.
Other Notes
This weakness is a major factor in a number of resultant weaknesses,
especially in web applications that allow global variable initialization
(such as PHP) with libraries that can be directly requested.
It is highly likely that a large number of resultant weaknesses have
missing initialization as a primary factor, but researcher reports generally
do not provide this level of detail.
Taxonomy Mappings
Mapped Taxonomy Name
Node ID
Fit
Mapped Node Name
PLOVER
Missing Initialization
Content History
Submissions
Submission Date
Submitter
Organization
Source
PLOVER
Externally Mined
Modifications
Modification Date
Modifier
Organization
Source
2008-07-01
Sean Eidemiller
Cigital
External
added/updated demonstrative
examples
2008-07-01
Eric Dalci
Cigital
External
updated Potential Mitigations,
Time of Introduction
2008-09-08
CWE Content Team
MITRE
Internal
updated Relationships, Other Notes,
Taxonomy Mappings
A PHP application does not properly protect against the
modification of variables from external sources, such as query parameters or
cookies. This can expose the application to numerous weaknesses that would not
exist otherwise.
Authentication bypass by modifying array used for
authentication.
Potential Mitigations
Phase
Description
Carefully identify which variables can be controlled or influenced by
an external user, and consider adopting a naming convention to emphasize
when externally modifiable variables are being used. An application
should be reluctant to trust variables that have been initialized
outside of its trust boundary. Ensure adequate checking is performed
when relying on input from outside a trust boundary. Do not allow your
application to run with register_globals enabled. If you implement a
register_globals emulator, be extremely careful of variable extraction,
dynamic evaluation, and similar issues, since weaknesses in your
emulation could allow external variable modification to take place even
without register_globals.
Other Notes
This is a language-specific instance of Modification of Assumed-Immutable
Data (MAID). This can be resultant from direct request (alternate path)
issues. It can be primary to weaknesses such as PHP file inclusion, SQL
injection, XSS, authentication bypass, and others.
Description
