CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Official CWE-98 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Glexia's Take
CWE-98: Remote file include
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Integrity,Confidentiality,Availability: Execute Unauthorized Code or Commands: The attacker may be able to specify arbitrary code to be executed from a remote location. Alternatively, it may be possible to use normal program behavior to insert php code into files on the local machine which can then be included and force the code to execute since php ignores everything in the file except for the content between php specifiers.
Developer Pattern
CWE-98 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-98, 4.20.
Official CWE Definition
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- The following code, victim.php, attempts to include a function contained in a separate PHP page on the server. It builds the path to the file by using the supplied 'module_name' parameter and appending the string '/function.php' to it. The problem with the above code is that the value of $dir is not restricted in any way, and a malicious user could manipulate the 'module_name' parameter to force inclusion of an unanticipated file. For example, an attacker could request the above PHP page (example.php) with a 'module_name' of "http://malicious.example.com" by using the following request string:,Upon receiving this request, the code would set 'module_name' to the value "http://malicious.example.com" and would attempt to include http://malicious.example.com/function.php, along with any malicious code it contains.,For the sake of this example, assume that the malicious version of function.php looks like the following:,An attacker could now go a step further in our example and provide a request string as follows:,The code will attempt to include the malicious function.php file from the remote site. In turn, this file executes the command specified in the 'cmd' parameter from the query string. The end result is an attempt by tvictim.php to execute the potentially malicious command, in this case:,Note that the above PHP example can be mitigated by setting allow_url_fopen to false, although this will not fully protect the code. See potential mitigations.
Remediation
- Architecture and Design: Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Architecture and Design: [object Object]
- Architecture and Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
- Architecture and Design,Operation: [object Object]
- Architecture and Design,Operation: Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
- Implementation: [object Object]
- Architecture and Design,Implementation: [object Object]
- Operation: Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Detection
- Manual Analysis: Manual white-box analysis can be very effective for finding this issue, since there is typically a relatively small number of include or require statements in each program.
- Automated Static Analysis: [object Object]
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-184: Incomplete List of Disallowed Inputs
- CWE-425: Direct Request ('Forced Browsing')
- CWE-456: Missing Initialization of a Variable
- CWE-473: PHP External Variable Modification
- CWE-73: External Control of File Name or Path
- CWE-426: Untrusted Search Path
- CWE-706: Use of Incorrectly-Resolved Name or Reference
- CWE-829: Inclusion of Functionality from Untrusted Control Sphere
- CWE-94: Improper Control of Generation of Code ('Code Injection')
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.