Attacker executes own code on our server Usually by including local or remote file Also by using %eval()% or %exec()% on untrusted data Gain complete control over application Better design of files interconnection Nicer URL Validity of filenames and self-inclusion Protection against running without context If impossible, use %basename()% Turning off %allow_url_fopen% doesn't help Account on the same machine %php://input% is not disabled %file_exists% doesn't help in general %file_exists% doesn't take %include_path% into account. Create a PHP script doing anything you want with target application Use this script on a page including untrusted files Run included page without context Create a script abusing application "protected" by disabled %allow_url_fopen% http://php.vrana.cz/vzajemne-propojeni-souboru.php http://php.vrana.cz/vkladani-souboru.php http://php.vrana.cz/vkladani-souboru-2.php