Local File Inclusion Web Vulnerability | What is it?
A Local File Inclusion (LFI) vulnerability occurs when a file from the target system is injected into the attacked server page. Netsparker confirmed this issue by reading some files from the target web server.
The impact can vary, based on the exploitation and the read permission of the web server user. Depending on these factors an attacker might carry out one or more of the following attacks:
- Gather usernames via an "/etc/passwd" file
- Harvest useful information from the log files such as "/apache/logs/error.log" or "/apache/logs/access.log"
- Remotely execute commands by combining this vulnerability with some other attack vectors, such as file upload vulnerability or log injection.
- If possible, do not permit appending file paths directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
- If you definitely need dynamic path concatenation, ensure that you only accept required characters such as "a-Z0-9" and do not allow "..", "/", "%00" (null byte) or any other similar unexpected characters.
- Finally, it is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure that any potential attack cannot perform a directory traversal attack.