Remote code injections attempt to run the attacker’s code on a server, often by exploiting the functionality of the include or require functions.

The eval(), exec(), system(), and shell_exec() functions are vulnerable to remote code injections.

Include / Require attacks occur when including and executing files (possible from remote servers and includes remote code execution)

Counter Measures

• Check data against a whitelist

• Remove paths using basename()

• Set allow_url_include = off in php.ini that helps somewhat but not sufficient, as some attack vectors remain open