Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

Top 25 Series - Rank 13 - PHP File Inclusion

Authored byDr. Johannes Ullrich
Dr. Johannes Ullrich

Last year, when we got going with our web honeypot, we quickly found that file PHP file inclusion vulnerabilities are by far the #1 exploit the honeypot was exposed to [1]. In part, this may have been due to us heavily emulating PHP applications. But many of the exploits didn't match any of the installed applications and obviously got sent blindly. In another blog post, I recently summarized some of the attacks from our isc.sans.org weblogs, and again untargeted, "dumb" remote file inclusion came out ahead. The Top 25 list assigned CWE #98 the rank of 13 [2].

What is PHP file inclusion about? This is a flaw exploiting the unintended use of a particular dangerous PHP feature. A full fatured programing language, like PHP, typically provides a feature to include additional files. This feature is frequently used to include libraries, headers or other pieces of code common to multiple pages. PHP adds a little twist to this: The file does not have to be local. If a URL is provided, like http://evilexample.com/code.php, the file is included from this bad URL. Vulnerable sample code would look like:

<?php
include($_GET['site']);
?>

Code like this may be seen in an application that allows the inclusion of different configuration or header files, depending on the context in which the application is use. Obviously, if this data is not validated, a remote URL may be specified and code located at the remote URL will be executed.

Simple remote file execution like this is pretty easily avoided by turning of the "allow_url_fopen" and "allow_url_include" feature. But carefull: Depending on your version of PHP, the "ftp://" url may still work, and other special prefixes like "php:" will not be affected.

Even if remote inclusion is prevented by the server configuration, there is still a change that local inclusion will happen. For example, the malicious user could specify a configuration file to be included.

Which brings us back to our main defense: Input validation. Include files have to be carefully validated. Best: During the application design ensure that simple file names are used that are easy to validate. Maybe only a list of specific file names is allowed, or file names have to be alphanumeric.

Specifying the extension is of little use. For example, if the include statement reads:

include($_GET['file'].".php");

A value ending in %00 will cause the extension to be discarded. url.php?file=/etc/password%00 may still work in this case.

  1.  http://isc.sans.org/weblogs
  2.  http://cwe.mitre.org/data/definitions/98.html

Meet the expert

Dr. Johannes Ullrich
Dr. Johannes Ullrich

Dr. Johannes Ullrich

Fellow

Dr. Johannes Ullrich is the Dean of Research for SANS Technology Institute, a SANS Faculty Fellow, and founder of the Internet Storm Center (DShield.org) which provides a free analysis and warning service to thousands of Internet users and organizations.

Read more about Dr. Johannes Ullrich
SANS Institute | Top 25 Series - Rank 13 - PHP File Inclusion | SANS Institute