Include vulnerability

This article does not cite any sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Include vulnerability" – news · newspapers · books · scholar · JSTOR (December 2009) (Learn how and when to remove this message)

A server-side include vulnerability is a vulnerability that may allow an attacker to execute arbitrary scripts on a host server by causing an existing script to include an arbitrary file. The vulnerability arises by allowing unchecked user data to be passed to include directives in scripting languages, such as PHP.

In PHP, include(), require() and similar functions may allow the application developer to include an external PHP script in the running script. If it is possible for the user to control arguments to the include function, it may be possible for a malicious user to direct the vulnerable script to execute arbitrary code on the host server, allowing complete control of PHP execution on the host server.

The proper solution to this vulnerability is to modify the vulnerable code in order to prevent user control of file include directives.

A PHP include vulnerability may be partially mitigated in some cases by using PHP's allow_url_fopen and allow_url_include options in an effort to limit file inclusion to local files, but this may be evaded in some cases (e.g. by including Apache's logfile which may contain arbitrary PHP code).

• Server Side Includes
• Remote File Inclusion

• Remote File Inclusion Vulnerabilities The Web Application Security Consortium Threat Classification

This computer science article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e