1. Support Center
  2. Injection Attacks

File Inclusion

A file inclusion allows the attacker to include arbitrary files into the web application, resulting in the exposure of sensitive files. This article describes how you can efficiently prevent file inclusions.

Security Assessment

Security_Assessment_FileInclusion

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:N /MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

Vulnerability Information

A local/remote file inclusion allows the attacker to include arbitrary files into the web application, resulting in the exposure of sensitive files. In some cases, the attacker can execute malicious code on the webserver and take over the machine entirely.

Guides

A local/remote file inclusion exists when the user input is not validated correctly and is passed to the PHP functions, including include_once, require, require_once, fopen, readfile, etc. Therefore never include files directly from variables that the user can manipulate. The following code example shows one possibility of how to validate users' input securely.

Validating User Input

<?php

if(isset($_GET['page']) and $_GET['page'] == 'home') {
include('home.php');
}
elseif(isset($_GET['page']) and $_GET['page'] == 'news') {
include('news.php');
}
// some other pages

?>

The best way to avoid this vulnerability is to hardcode all files you need to include, as the example above suggests. If you need the inclusion of dynamic files, you could only allow required characters like a-zA-Z and disallow anything else like ./\. A maybe even better solution is to maintain a whitelist of files that are allowed to be included. Any other file that the user requests can be rejected.

Note: If you try to implement your filters and pass the filtered user input directly to the various included functions, ensure that your filters can not be bypassed by using methods like string encoding.

Avoid Remote File Inclusion

If you do not need the inclusion of remote files, you can set "allow_url_include=off" in your php.ini file to disable the inclusion of remote files.

For more information about Crashtest Security, visit crashtest-security.com.