The issue: Variables in include statements can lead to execution of external code
- With allow_url_fopen = On (default) external code can be included
<?php
require_once $_GET['action'] . '.php';
?>
The solution: Validate included files against a whitelist using arrays or switch statements.
<?php
$files = array(
'show' => 'show.php',
'list' => 'list.php',
);
if (isset($files[$_GET['action']])) {
require_once $files[$_GET['action']];
} else {
echo 'Not a valid action.';
}
?>