Preventing remote code injection attacks

• Look for include statements

  .
  
  

  • Vulnerable only when user input influences the command
  • include
  • require
  • include_once
  • require_once

• Autoloader code also potentially vulnerable

  .
  
  

  • Autoloading is associated with OOP
  • You can use _autoload()
  • Most frameworks use spl_autoload_register()
  • The autoloader does the include

• php.ini settings

  .
  
  

  • allow_url_include is normally off
  • allow_url_fopen is normally on
  • open_basedir prevents PHP from reading outside the specified directory tree
  • Vulnerable primarily when user input influences the command

• Other (more obscure) forms of injection attack

  .
  
  

  • Vulnerable only when user input influences the command
  • eval()
  • exec() or system()
  • Best practice: do not use these functions!