1. Support Center
  2. Injection Attacks

File Inclusion

A file inclusion allows the attacker to include arbitrary files into the web application, which can result in the exposure of sensitive files. This article describes, how you can efficiently prevent file inclusions.

Security Assessment

Security_Assessment_FileInclusion

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:N /MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

Vulnerability Information

A local/remote file inclusion allows the attacker to include arbitrary files into the web application, which can result in the exposure of sensitive files. In some cases the attacker is able to execute malicious code on the webserver and therefore can entirely takeover the machine.

Guides

A local/remote file inclusion exists when the user input is not validated correctly and is passed to the PHP functions include, include_once, require, require_once, fopen, readfile etc. Therefore never include files directly from variables that can be manipulated by the user. The following code example shows one possibility how to validate users input securely.

Validating User Input

<?php

if(isset($_GET['page']) and $_GET['page'] == 'home') {
include('home.php');
}
elseif(isset($_GET['page']) and $_GET['page'] == 'news') {
include('news.php');
}
// some other pages

?>

The best way to avoid this vulnerability is to hardcode all files which you need to include, as the example above suggests. If you really need the inclusion of dynamic files, you could only allow characters that are needed like a-zA-Z and disallow anything else like ./\. A maybe even better solution is, to maintain a whitelist of files that are allowed to be included. Any other file that is requested by the user can simply be rejected.

Note: If you try to implement your own filters and pass the filtered user input directly to the various include functions, make sure that your filters can not be bypassed by using methods like string encoding.

Avoid Remote File Inclusion

If you do not need the inclusion of remote files you can set "allow_url_include=off" in your php.ini file to disable inclusion of remote files.

For more information about Crashtest Security visit crashtest-security.com