CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program

Description

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP. The attacker may be able to specify arbitrary code to be executed from a remote location. Alternatively, it may be possible to use normal program behavior to insert php code into files on the local machine which can then be included and force the code to execute since php ignores everything in the file except for the content between php specifiers. The weakness is introduced during Architecture and Design, Implementation stages.

Latest vulnerabilities for CWE-98

Multiple vulnerabilities in Juniper Networks Junos cRPD 2024-04-15
High Yes

Multiple vulnerabilities in Juniper Cloud Native Router 2024-04-15
High Yes

Multiple vulnerabilities in Netcool Operations Insight 2024-04-03
High Yes

Multiple vulnerabilities in IBM Cloud Pak for Network Automation 2024-01-31
High Yes

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak 2024-01-30
High Yes

Multiple vulnerabilities in Trend Micro Apex Central 2024-01-09
Medium Yes

Multiple vulnerabilities in IBM Operational Decision Manager 2024-01-08
High Yes

Multiple vulnerabilities in Cacti 2023-12-27
Medium Yes

Multiple vulnerabilities in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 2023-12-01
High Yes

PHP file inclusion in bumsys 2023-11-20
High Yes

References

Description of CWE-98 on Mitre website