CAPEC-193

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: High Severity: High
PHP Remote File Inclusion

Description

In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.

Prerequisites

Target application server must allow remote files to be included in the "require", "include", etc. PHP directives

The adversary must have the ability to make HTTP requests to the target web application.

Mitigations

Implementation: Perform input validation for all remote content, including remote and user-generated content

Implementation: Only allow known files to be included (allowlist)

Implementation: Make use of indirect references passed in URL parameters instead of file names

Configuration: Ensure that remote scripts cannot be include in the "include" or "require" PHP directives

Skills Required

[Low] To inject the malicious payload in a web page

[Medium] To bypass filters in the application