Local File Inclusion (LFI) Info & Remedy

Summary

Netsparker identified a Possible Local File Inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.

However, this issue could not be confirmed by Netsparker. Netsparker believes that this was not a local file inclusion, but there were some indications of a possible local file inclusion. There can be numerous reasons for Netsparker not being able to confirm it.

We strongly recommend you investigate the issue manually. You can also consider sending us the details of this issue so we can address it for the next time and give you more precise results.

Impact

Impact can differ based on the exploitation and the read permission of the web server user. Depending on these factors, an attacker might carry out one or more of the following attacks:

Gather usernames via /etc/passwd file
Harvest useful information from the log files, such as "/apache/logs/error.log" or "/apache/logs/access.log"
Remotely execute commands via combining this vulnerability with some of other attack vectors, such as file upload vulnerability or log injection

Remediation

If possible, do not permit file paths to be appended directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
It's important to limit the API to allow inclusion only from a directory and directories below it. This ensures that any potential attack cannot perform a directory traversal attack.

Classifications

PCI v3.1-6.5.8, PCI v3.2-6.5.8, CAPEC-252, CWE-22, HIPAA-22, ISO27001-A.14.2.5, WASC-33, OWASP 2013-A4, OWASP 2017-A5 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Further Reading

Local File Inclusion Vulnerability