Invicti identified a Code Evaluation via Local File Inclusion (PHP).
- If possible, do not permit file paths to be appended directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
- If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
- It is important to limit the API to allow inclusion only from a directory and directories below it. This ensures that any potential attack cannot perform a directory traversal attack.
- Why Framework Choice Matters in Web Application Security
- Sven Morgenroth Talks About PHP Object Injection Vulnerabilities on Paul’s Security Weekly Podcast
- End of Support for PHP 5 and PHP 7.0
- The Powerful Resource of PHP Stream Wrappers
- Sven Morgenroth Talks About PHP Type Juggling on Paul’s Security Weekly Podcast