HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: November 2006

PHP Remote File Inclusion

PHP is the most common web application language and framework being used today. Not surprisingly, attackers have steadily launched attacks against it which seek to take advantage of certain default PHP functions and insecure programming practices. Applications that utilize PHP that do not adequately sanitize user-supplied input and that do not properly configure PHP defaults are susceptible to remote file inclusion vulnerabilities. These remote file inclusion vulnerabilities have steadily grown in number during the past year to the point where only SQL Injection and Cross-Site Scripting attacks outnumber PHP remote file inclusion vulnerabilities. These can be leveraged to include a file containing malicious PHP code and execute it in context of the webserver process, and in some circumstances can even lead to a complete compromise of the application and access to the underlying system. And more often than not, it only takes a web browser to do it.

So how do you prevent these types of attacks? From a hosting perspective, be sure you keep up to date on PHP versions and patches. New attacks for different functions are announced almost every day. 

By default, PHP allows file functions to access remote resources using a feature called "allow_url_fopen".  This feature allows filesystem operations to open URLs as if they were local files, which makes it easy for attackers to change the destination to a malicious file of his choosing. If you aren't using it, disable it. register_globals and magic_quotes_gpc should also be disabled if they aren't being utilized as these can also be taken advantage of. Enable open_basedir, but make sure that it is configured correctly. And, if you don't need them, disable PHP wrappers.

If you have a lot of PHP applications in use, be sure to scan your web applications with a vulnerability scanner on a continuing basis (insert shameless plug for WebInspect here). This will help you identify known vulnerabilities, and help locate input validation issues. Be advised, however, that a source code review would be necessary to find all the potential vulnerabilities.

From a development perspective, be sure you are coding with the latest version of PHP and a hardened configuration such as described earlier. Do not utilize user-supplied input with file functions. This will go a long way towards mitigating remote file inclusion attacks. As always, never trust user-supplied input. Properly validating input will generally solve 80% of all web application vulnerabilities, not just PHP remote file inclusion, so it is worth the effort to implement.



Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.