How Remote Execution Works
A remote execution attack aims to take direct control of your application by exploiting a scriptable interface within it. One such interface common to many PHP applications is a template system. Template systems provide a mechanism by which value placeholders in markup are replaced by actual values from your application. One of the easiest ways to do this is to use PHP's $variable notation throughout the template, so that passing the template through eval() replaces the variables with the actual values. In that case, the attacker can simply embed PHP code in submitted text, and the template system will execute it.
The main avenue for remote execution is user input that is used as part of a shell command, as when a PHP ...
Get Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
