Fluid Attacks Database

Description

Detects PHP arbitrary file read vulnerabilities where user-controlled input is used in file operations without proper validation. This allows attackers to potentially read sensitive files from any location on the filesystem by manipulating file paths, leading to unauthorized access to sensitive data.

Weakness:

063 - Lack of data validation - Path Traversal

Category: Unexpected Injection

Detection Strategy

• Identifies PHP file operation functions like file_get_contents(), fopen(), or readfile() in the code

• Checks if the arguments/parameters to these file operations contain user-controlled input

• Reports a vulnerability when user input flows into file operation functions without proper sanitization or path validation

• Focuses on scenarios where file paths can be manipulated to access files outside intended directories

Vulnerable code example

<?php
// User input from GET parameter is used directly in file path
$page = $_GET['view'];
// Vulnerable: Unsanitized user input used in file operations
echo file_get_contents("templates/" . $page);

✅ Secure code example

<?php
// Define allowed pages whitelist for strict input validation
$allowedPages = ['home.php', 'about.php', 'contact.php'];

// Get user input and validate against whitelist
$page = isset($_GET['view']) ? $_GET['view'] : '';
if (!in_array($page, $allowedPages)) {
    die('Invalid page requested');...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.