File Inclusion in PHP
Play PHP Labs on this vulnerability with SecureFlag!
Vulnerable Example
The require and require_once functions alongside include and include_once are commonly abused in File Inclusion exploits. The only difference being that require functions will generate an error and halt the running script if the file is not found, whereas include functions will only generate a warning.
As a result, untrusted input that ends up in these functions is always a red flag that needs to be audited.
<?php include_once($_GET['file']); ?>
References
MITRE - CWE 98 - Improper Control of Filename for Include/Require Statement in PHP Program