Page tree
Skip to end of metadata
Go to start of metadata

Security Assessment

Risk Probability Impact
9.6 8.0 6.4
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

Vulnerability Information

A local/remote file inclusion allows the attacker to include arbitrary files into the web application, which can result in the exposure of sensitive files. In some cases the attacker is able to execute malicious code on the webserver and therefore can entirely takeover the machine.

Table of Contents

Further Reading

Testing for local file inclusion

Testing for Remote File Inclusion

Guides

A local/remote file inclusion exists when the user input is not validated correctly and is passed to the PHP functions include, include_once, require, require_once, fopen, readfile etc. Therefore never include files directly from variables that can be manipulated by the user. The following code example shows one possibility how to validate users input securely.


Validating user input
<?php

if(isset($_GET['page']) and $_GET['page'] == 'home') {
	include('home.php');
}
elseif(isset($_GET['page']) and $_GET['page'] == 'news') {
	include('news.php');
}
// some other pages

?>


The best way to avoid this vulnerability is to hardcode all files which you need to include, as the example above suggests. If you really need the inclusion of dynamic files, you could only allow characters that are needed like a-zA-Z and disallow anything else like ./\. A maybe even better solution is, to maintain a whitelist of files that are allowed to be included. Any other file that is requested by the user can simply be rejected.

Note: If you try to implement your own filters and pass the filtered user input directly to the various include functions, make sure that your filters can not be bypassed by using methods like string encoding.

Avoid Remote File Inclusion

If you do not need the inclusion of remote files you can set "allow_url_include=off" in your php.ini file to disable inclusion of remote files.


Contribute

You are facing an issue that is not covered in our guides, we are happy to include solutions here. Please send us an e-mail to support@crashtest-security.com.

Crashtest Security

Crashtest Security is a Munich, Germany based start-up that redefines web application vulnerability scans.  The Crashtest Security Suite is differentiating itself as a fully automated vulnerability scanner enhanced with artificial intelligence developed for the needs of the agile developer or SecDevOps. Clear vulnerability insights are provided as well as contextual actionable insights for risk mitigation. 



For more information visit https://crashtest-security.com

  • No labels