A lot of applications need to include files to load classes or to share some templates between multiple web pages. A File Inclusion Vulnerability allows an attacker to access unauthorized or sensitive files on the web server or to execute malicious files by making use of the include()
functionality.(2)
How?
The File Include Vulnerabilities come from a lack of filtering when a user-controlled parameter is used as part of a file name in a call to an including function (require, require_once, include or include_once in PHP for example).
If the call to one of these methods is vulnerable, an attacker can manipulate the function to load their own code which can lead to:
- Local File Include: LFI. A local file is loaded, read, and interpreted, such as directory traversal to read arbitrary files.
- Remote File Include: RFI. A remote file is retrieved and interpreted.
- If the arbitrary code contains an opening PHP tag, the file will be interpreted as PHP code.(1)
Testing
If you are on a website, such as PentesterLabs File Include Lab, and you can see an error message once you inject a special character ("
) into the url parameter:
Warning: include(intro.php'): failed to open stream:
No such file or directory in /var/www/fileincl/example1.php on line 7
Warning: include(): Failed opening 'intro.php''
for inclusion (include_path='.:/usr/share/php:/usr/share/pear')
in /var/www/fileincl/example1.php on line 7
If you read the error message carefully, you can extract a lot of information such as:
- The path of the script: /var/www/fileincl/example1.php.
- The function used: include().
- The value used in the call to include is the value we injected intro.php' without any addition or filtering.
From here you can also use the methods used to detect directory traversal and to detect file include, such as applying the ../../../etc/passwd
technique in the URL.
Mitigation
- By default, modern PHP disables loading of remote files, thanks to the configuration option: allow_url_include but that doesn't mean that it's not exploitable if the PHP version is not current.
- Applying proper filtering of user-controlled parameters or supplying users with specific parameter options.
Top comments (0)