PHP Remote File Inclusion
Added: 01/28/2010Background
PHP scripts support the include and require statements, which cause an outside script to be run within the calling script. The included script can be a local file or, in some configurations, the URL of a remote file.Problem
The PHP script is vulnerable to a remote file inclusion vulnerability. This vulnerability typically arises due to an include or require command where the included file path can be manipulated by a remote user via a specific HTTP input parameter. A remote attacker could execute arbitrary PHP commands on the target by specifying the URL of a PHP script on his or her own server in the input parameter.Resolution
Fix the vulnerable code so that included path names cannot be manipulated by the user.The vulnerability can also be mitigated by setting the following variables in the PHP configuration file:
register_globals = Off allow_url_include = Off safe_mode = On
References
http://projects.webappsec.org/Remote-File-InclusionLimitations
This exploit works against Unix and Linux operating systems.The exploit requires the register_globals and allow_url_include PHP settings to be on, and the safe_mode PHP setting to be off.
The telnet and mkfifo
programs must exist on the target in order for the
shell connection to be established.
Back to exploit index