What is File Inclusion vulnerability?
A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time.
A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement.
Types of File Inclusion vulnerabilities
File inclusion vulnerabilities come in two types, depending on the origin of the included file:
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
1. Local File Inclusion (LFI)
Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server. LFI attacks can expose sensitive information, and in severe cases, they can lead to cross-site scripting (XSS) and remote code execution. LFI is listed as one of the OWASP Top 10 web application vulnerabilities.
File inclusions are a key to any server-side scripting language, and allow the content of files to be used as part of web application code. Here is an example of how LFI can enable attackers to extract sensitive information from a server. If the application uses code like this, which includes the name of a file in the URL:
https://example-site.com/?module=contact.php
An attacker can change the URL to look like this:
https://example-site.com/?module=/etc/passwd
And in the absence of proper filtering, the server will display the sensitive content of the /etc/passwd file.
As LFIs help an attacker trick a web application into either running or exposing files on a web server, a local file inclusion attack can lead to cross-site scripting (XSS) and remote code execution (RFI) vulnerabilities.
2. Remote File Inclusion (RFI)
OWASP defines Remote File Inclusion as the process of including remote files by exploiting vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing the external URL to be injected.
Since PHP supports native functions that allow users to include remote files, web applications written in PHP code are more susceptible to RFI attacks.
Impact of LFI and RFI vulnerability
The impact depends on how the included file is used by the application and may manifest as rudimentary Arbitrary File Read right through to Server-Side Request Forgery and even Remote Code Execution (RCE).
If the files are run in the same code context of the application, this might be used to RCE to gain a foothold in the hosting infrastructure, pivot to connected systems throughout the organization, execute unauthorized commands, and fully compromise the confidentiality, integrity, and availability of the application.
Protecting Against LFI & RFI Attacks
The main cause for LFI and RFI vulnerabilities is improper input validation; therefore, efforts should be made to ensure the input received is properly sanitized before allowing it to pass to an include function.
Here are a few ways you can protect your web applications from these vulnerabilities.
- Disable the remote inclusion feature by setting the “allow_url_include to 0” in your PHP configuration.
- If circumstances demand that you enable the remote file inclusion feature, ensure that you make a whitelist of accepted filenames and limit the input to only those files on the list.
- Disable the “allow_url_fopen” option to control the ability to open, include or use a remote file.
- Use preset conditions as an alternative to filenames when file inclusion is based on user input.
