File inclusion vulnerability

The term Remote File Inclusion describes a vulnerability in script -based web applications that allows an attacker to inject code uncontrollably into the web server and run there.

Commonly, the term Remote File Inclusion is related to the PHP scripting language, but also applies to other scripting languages ​​offer similar capabilities such as PHP.

PHP Explanation concerned

The PHP statements include and require ( and include_once and require_once ) are used for integration of additional PHP script files in the current script. The vulnerability occurs when user input insufficiently tested are used as parameters for this statement. This can cause unwanted PHP script files are executed. In the worst case, an attacker can thus even program code is shipped from a foreign web server, have them executed.

Since the vulnerability by weaknesses in the programming, the only path to change the script can help. PHP itself also provides the configuration option allow_url_fopen on, with the opening of URLs can be banned, but also at the same time limiting other functions. In PHP 5.2, therefore, the configuration option allow_url_include is added separately, only the integration and execution of remote resources using the above PHP statements can be banned with.

See also: Directory Traversal

677698
de