Skip to content

Added allow_url_include. Added suggestion for preg_quote. #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added allow_url_include. Added suggestion for preg_quote. #11

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions book/lang/en/source/_includes/Code-Injection.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ File Inclusion

The most obvious target for a Code Injection attack are the include(), include_once(), require() and require_once() functions. If untrusted input is allowed to determine the path parameter passed to these functions it is possible to influence which local file will be included. It should be noted that the included file need not be an actual PHP file; any included file that is capable of carrying textual data (e.g. almost anything) is allowed.

The path parameter may also be vulnerable to a Directory Traversal or Remote File Inclusion. Using the ../ or ..\ (dot-dot-slash) string in a path allows an attacker to navigate to almost any file accessible to the PHP process. The above functions will also accept a URL in PHP's default configuration unless XXX is disabled.
The path parameter may also be vulnerable to a Directory Traversal or Remote File Inclusion. Using the ../ or ..\ (dot-dot-slash) string in a path allows an attacker to navigate to almost any file accessible to the PHP process. The above functions will also accept a URL in PHP's default configuration unless allow_url_include is disabled.

Evaluation
^^^^^^^^^^
Expand All @@ -27,7 +27,7 @@ PHP's eval() function accepts a string of PHP code to be executed.
Regular Expression Injection
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The PCRE function preg_replace() function in PHP allows for an "e" (PREG_REPLACE_EVAL) modifier which means the replacement string will be evaluated as PHP after subsitution. Untrusted input used in the replacement string could therefore inject PHP code to be executed.
The PCRE function preg_replace() function in PHP allows for an "e" (PREG_REPLACE_EVAL) modifier which means the replacement string will be evaluated as PHP after subsitution. Untrusted input used in the replacement string could therefore inject PHP code to be executed. Protection against regular expression injection is provided by PHP's preg_quote function.a

Flawed File Inclusion Logic
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Expand All @@ -45,4 +45,4 @@ Goals of Code Injection
The goal of a Code Injection is extremely broad since it allows the execution of any PHP code of the attacker's choosing.

Defenses against Code Injection
-------------------------------
-------------------------------