|
Preventing remote code injection attacks
Look for include statements
.
- Vulnerable only when user input influences the command
- include
- require
- include_once
- require_once
Autoloader code also potentially vulnerable
.
- Autoloading is associated with OOP
- You can use _autoload()
- Most frameworks use spl_autoload_register()
- The autoloader does the include
php.ini settings
.
- allow_url_include is normally off
- allow_url_fopen is normally on
- open_basedir prevents PHP from reading outside the specified directory tree
- Vulnerable primarily when user input influences the command
Other (more obscure) forms of injection attack
.
- Vulnerable only when user input influences the command
- eval()
- exec() or system()
- Best practice: do not use these functions!
|
|