Detailedlikelihood: Highseverity: HighDraft

CAPEC-193PHP Remote File Inclusion

Abstraction
Detailed
Status
Draft
Likelihood
High
Severity
High

Description

In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.

Related weaknesses· 2

CWE-98CWE-80

Related attack patterns· 1

CAPEC-253 (ChildOf)

Exploits2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)cwe-80100%live
WeaknessImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')cwe-98100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
PHP Local File Inclusion
CAPEC
Remote Code Inclusion
CWE
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CAPEC
Code Inclusion
CAPEC
Server Side Include (SSI) Injection
CAPEC
Code Injection
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.