Remote attackers may be able to execute arbitrary PHP commands
on the web server.
PHP (Hypertext Preprocessor) is
a scripting language used for web development. PHP scripts can
be embedded into HTML files, and are run by the
web server when the file is requested by a web browser.
Some PHP scripts do not adequately control important
variables such as the directory path to supporting scripts.
A remote attacker is able to manipulate these variables
by sending specially crafted HTTP requests,
thereby allowing the attacker to run arbitrary PHP scripts.
For example, a PHP script may include the following code:
include($root_dir . 'common.php');
and the default value of the variable $root_dir
may be /var/www/php. In this case, the
PHP processor should execute the script
/var/www/php/common.php within the current
Now suppose an attacker who owns a web server called
badserver.com runs the script with the input
In this case, the PHP processor would execute the
The attacker could execute arbitrary code on the vulnerable
server by placing the code into the common.php
file on his or her own server.
For more information on this and other PHP scripting
[http://www.phpadvisory.com/articles/view.phtml?ID=5] On the Security of PHP by Jordan Dimov and
For more information on specific PHP injection vulnerabilities
see the following advisories:
To fix this problem, all PHP scripts should properly
initialize directory paths and other important constants, so
they cannot be manipulated by attackers. Setting
register_globals to off in
the php.ini file may also protect against
certain PHP injection vulnerabilities. For fix information
on specific products, see the appropriate reference below.
Note that in many of the affected software products, the
same problem lies in more than one script, even if only
one is reported here.