PHP code injection (pmwiki)
Description
This vulnerability allows attackers to inject and execute arbitrary PHP code on the server. It occurs when user-controlled input is passed directly or indirectly to PHP's eval() function or similar dynamic code execution constructs without proper validation or sanitization. Because eval() treats its argument as executable PHP code, attackers can manipulate input parameters to run malicious commands with the same privileges as the web application.
Remediation
Eliminate the use of eval() and similar dynamic code execution functions whenever possible. If dynamic behavior is required, use safer alternatives such as predefined function mappings or configuration-based approaches.
If eval() cannot be avoided, implement strict input validation:
1. Use allowlists: Only permit known-safe values through strict whitelisting.
$allowed_actions = ['view', 'edit', 'delete'];
if (in_array($user_input, $allowed_actions, true)) {
// Safe to proceed
} else {
// Reject invalid input
}2. Never pass user input directly to eval(): Avoid constructs like
eval($user_input) entirely.3. Refactor code: Replace dynamic evaluation with switch statements, function arrays, or design patterns that don't require code execution.
4. Apply defense in depth: Implement proper input validation, output encoding, and run the web application with minimal necessary privileges.