This type of attack allows an attacker to execute code remotely, install a root kit remotely, compromise the entire system, and compromise the internal system (on Windows systems) through the use of SMB file wrappers for the PHP scripting language.
All web application frameworks are vulnerable to this attack if they accept file names or files from a user.
| Signature name | Description | More information |
|---|---|---|
| HTTP_PHP_CRLF_Injection | Detects an HTTP header injection attempt in the argument data to a PHP script. | IBM® X-Force®: PHP fopen() and file() CRLF injection |
| HTTP_PHP_Includedir | Detects an HTTP URL request for a PHP file. The URL also uses a query string that begins with includedir=http:. |
IBM X-Force: Multiple vendor open-source PHP projects could allow remote command execution |
| HTTP_PHP_Script_Injection | Detects a PHP injection attempt that might be used to execute arbitrary code on a web server. | IBM X-Force: HTTP PHP script injection attempt detected |
| HTTP_PHP_Transfer_XSS | Detects a PHP script as content to an HTTP response. This is a strong indication of a PHP include() / require() overwrite attack. | IBM X-Force: HTTP SQL Injection CONVERT statement usage |
| HTTP_Server_Side_Include_Injection | Detects a Server Side Include injection attempt designed to execute arbitrary code on a web server. | IBM X-Force: HTTP Server Side Include injection attempt detected |