Php Local File Inclusion Rce Risk
Description
Identifies PHP code patterns where file inclusion operations (like include, require) could be manipulated by user input to include arbitrary local files. This vulnerability could allow attackers to execute malicious PHP code by forcing the application to include unexpected files from the local filesystem.
Detection Strategy
• Identifies PHP file inclusion functions (include, include_once, require, require_once)
• Checks if the filename/path parameter comes from user-controllable input sources
• Verifies if there is insufficient sanitization or validation of the file path
• Reports issues when user input can influence which files are included
Vulnerable code example
<?php
if (isset($_GET['page'])) {
$file = $_GET['page'];
// VULNERABLE: Unsanitized user input used in file inclusion
include($file); // Attacker can inject arbitrary file paths
}✅ Secure code example
<?php
if (isset($_GET['page'])) {
$allowed_pages = ['home.php', 'about.php', 'contact.php']; // Define allowed pages
$requested_page = $_GET['page'];
// Only include files from pre-approved whitelist
if (in_array($requested_page, $allowed_pages)) {
include($requested_page);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.