Input Validation / PHP Code Injection
PHP code injection is an input validation vulnerability that allows an attacker to inject malicious code into web applications or APIs written in PHP. This vulnerability can be found in the CWE directory under CWE-94: Improper Control of Generation of Code ('Code Injection'). It is also covered in the OWASP Testing Guide under Input Validation.
The risk of PHP code injection is very high because it can lead to the full compromise of the web application or API. Attackers can use code injection to gain access to sensitive information, modify or delete data, or even take control of the server.
The best way to prevent PHP code injection is to validate all user input. This can be done by using a whitelist approach, which only allows specific types of input and rejects all others. Additionally, it is important to sanitize the inputs and make sure they are properly escaped when displayed back to the user.
An example of PHP code injection can be seen in CVE-2020-12107. This vulnerability is caused by insufficient filtering of user input in the
list.php file. The code below shows the vulnerable line of code.
$myvar = "varname"; $x = $_GET['arg']; eval("$myvar = $x;");