edit-icon download-icon

File inclusion vulnerability

Last Updated: Nov 29, 2017

Description

A file inclusion vulnerability is a type of vulnerability that targets web applications that rely on a scripting run time. When an application builds a path to executable code by using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time, this vulnerability occurs. File inclusion vulnerabilities undermine the way applications load code.

Remote File Inclusion (RFI) occurs when the web application downloads and runs a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application.

Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files (files on the current server) can be included for execution. This issue can still lead to remote code execution by including a file that contains attacker-controlled data such as the web server’s access logs.

Hazards

This vulnerability can be exploited to run remote commands on servers. Attackers may exploit this vulnerability to run uploaded static files or website log files as code to obtain the server permission, causing negative consequences such as malicious deletion of websites and tampering of user and transaction data.

Fix

  • Strictly check whether the variable has been initialized.

    We recommend that you regard all input data as suspicious and check for all possibly included file addresses in the input, including local files and remote files on the server. Perform strict checks and eliminate any directory redirection symbols in parameters such as ../.

  • Check whether the parameters in file inclusion functions such as include are controllable from the outside.

  • Do not only perform data verification and filtering on the client, but also perform key filtering steps on the server.

  • Test all known threats before publishing an application.

Thank you! We've received your feedback.