PHP Remote File Inclusion

Published 17 November 06 02:37 PM | mep 

PHP is the most common web application language and framework being used today. Not surprisingly, attackers have steadily launched attacks against it which seek to take advantage of certain default PHP functions and insecure programming practices. Applications that utilize PHP that do not adequately sanitize user-supplied input and that do not properly configure PHP defaults are susceptible to remote file inclusion vulnerabilities. These remote file inclusion vulnerabilities have steadily grown in number during the past year to the point where only SQL Injection and Cross-Site Scripting attacks outnumber PHP remote file inclusion vulnerabilities. These can be leveraged to include a file containing malicious PHP code and execute it in context of the webserver process, and in some circumstances can even lead to a complete compromise of the application and access to the underlying system. And more often than not, it only takes a web browser to do it.

So how do you prevent these types of attacks? From a hosting perspective, be sure you keep up to date on PHP versions and patches. New attacks for different functions are announced almost every day. 

By default, PHP allows file functions to access remote resources using a feature called "allow_url_fopen".  This feature allows filesystem operations to open URLs as if they were local files, which makes it easy for attackers to change the destination to a malicious file of his choosing. If you aren't using it, disable it. register_globals and magic_quotes_gpc should also be disabled if they aren't being utilized as these can also be taken advantage of. Enable open_basedir, but make sure that it is configured correctly. And, if you don't need them, disable PHP wrappers.

If you have a lot of PHP applications in use, be sure to scan your web applications with a vulnerability scanner on a continuing basis (insert shameless plug for WebInspect here). This will help you identify known vulnerabilities, and help locate input validation issues. Be advised, however, that a source code review would be necessary to find all the potential vulnerabilities.

From a development perspective, be sure you are coding with the latest version of PHP and a hardened configuration such as described earlier. Do not utilize user-supplied input with file functions. This will go a long way towards mitigating remote file inclusion attacks. As always, never trust user-supplied input. Properly validating input will generally solve 80% of all web application vulnerabilities, not just PHP remote file inclusion, so it is worth the effort to implement.

 

 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# jpb said on November 25, 2006 7:47 PM:
>register_globals and magic_quotes_gpc should also be >disabled if magic quotes should be disabled? this may end up aiding attackers using local file inclusions. I think it's also important to mention local file inclusion whenever talking about remote file inclusion.

Leave a Comment

(required) 
(optional)
(required)