SYM_PHP_0018 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Including files in PHP using variables that can be influenced by user input is unsafe. This allows attackers to specify which files are loaded, potentially exposing sensitive data or executing unwanted code. Always use a fixed list of files or thoroughly validate and sanitize all user input before including files.
Impact
If exploited, attackers could read sensitive files from the server (like configuration files or passwords), or in some setups, even execute malicious code. This can lead to data breaches, server compromise, or a full takeover of the application.