Php External Control Of Filename
Description
Detects when PHP file operations accept external/user-controlled input as filenames. This can enable path traversal attacks or unauthorized file access if unsanitized user input is used directly in file operations.
Detection Strategy
• Identifies PHP file operation functions like fopen(), file_get_contents(), or include()
• Checks if the filename parameter comes from an external source like user input or HTTP parameters
• Reports a vulnerability when file operations use unsanitized external input as filenames
• Examines function argument lists for data that could be controlled by users
Vulnerable code example
<?php
function process_user_upload() {
// SECURITY ISSUE: Attacker controls destination path via GET parameter
$destination = $_GET['dest'];
// VULNERABLE: Allows path traversal via unvalidated destination
rename($_FILES['uploaded']['tmp_name'], '/var/www/' . $destination);
}...✅ Secure code example
<?php
function process_user_upload() {
// Validate upload exists and completed successfully
if (!isset($_FILES['uploaded']) || $_FILES['uploaded']['error'] !== UPLOAD_ERR_OK) {
return false;
}
// Generate random filename to prevent path traversal...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.