ARBITRARY FILE EXECUTION ATTACK

Arbitrary File Execution Attack is attack that occurs when an attacker is able to request files that normally should not be called alone. Consider the simple example below to demonstrate the problem:

/*config.php source code*/
<?php
$userid = 0;
$userid = $SESSION["userid"];
?>


/*required.php source code*/
<?php
if($userid > 0) displayUserPrivateData($userid);
else exit("Log in first")
?>


/*index.php source code*/
<?php
include("config.php");
include("required.php");
?>

There are three scripts above. The first two config.php and required.php are not meant to be called alone. They are only meant to be included the index.php file. The config.php file assigns a value to the $userid variable from the $SESSION array. If the user is not logged in, the value of $SESSION["userid"] will be empty otherwise it will have some positive ID value. The required.phpinclude assumes that config.php has already checked the status of the user and trusts the $userid variable to have the correct value. The logic of the application relies on the fact that scripts will be executed in order. If you execute the following URL:http://www.mywebsite.com/required.php?userid=5 assuming register_globals is enabled, the attacker will be able to see private data for any other user. This is a simple example but you get the idea. The developer needs to make sure that included files are not executed separately. This check could be done though .htaccess files or programmatically inside the scripts. The latter being preferred because it does not depend on any environment settings. The above scripts can be improved like this:

/*config.php source code*/
<?php
define("configincluded", true);
$userid = 0;
$userid = $SESSION["userid"];
?>


/*required.php source code*/
<?php
if(!defined("configincluded ")) exit("Log in first");
if($userid > 0) displayUserPrivateData($userid);
else exit("Log in first")
?>


/*index.php source code*/
<?php
include("config.php");
include("required.php");
?>