Improper Control of filename for include / require statement ('Include File Injection')

Include File Injection occurs when an application allows user input to specify files to be included at runtime, potentially leading to the inclusion of unintended files, execution of arbitrary code, or exposure of sensitive data.

Include File Injection is a vulnerability that arises when user input is used to dynamically include files in a PHP application. Functions like include(), require(), include_once(), and require_once() are used to include and evaluate a specified file. If these functions are fed with unsanitized user input, an attacker can manipulate the file paths to include remote files, local files with sensitive information, or even malicious scripts.

Consider the following PHP example where user input is used to include a file:

In this example, an attacker could manipulate the page query parameter to include any accessible PHP file, resulting in unintended behavior such as code execution from unauthorized files or exposure of internal configurations. For instance, an attacker might use input like http://example.com/index.php?page=../../etc/passwd%00 to attempt to expose system files or sensitive application data.

To mitigate Include File Injection vulnerabilities, you should validate and sanitize user inputs before using them to include files. Additionally, limit the files that can be included to a predefined list or directory, ensuring that only trusted files are enabled for inclusion. Here are some steps and example code demonstrating a safer approach:

The detector has the following configurable parameters:

Unless you need to change the default behavior, you typically do not need to configure this detector.