Remote File Inclusion Vulnerability | What is it and How to Remedy
Netsparker identified a possible remote file inclusion vulnerability on the target web application, which occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution.
Even though Netsparker believes there is a remote file inclusion in here, it could not confirm it. We strongly recommend investigating the issue manually to ensure it is an remote file inclusion and needs to be addressed.
Impact may differ depending on the execution permissions of the web server user. Any included source code could be executed by the web server in the context of the web server user, hence making arbitrary code execution possible. Where the web server user has administrative privileges, full system compromise is also possible.
Required Skills for Successful Exploitation
There are freely available web backdoors/shells for exploiting remote file inclusion vulnerabilities, and using them requires little knowledge or attack skills. This has typically been one of the most widely leveraged web application vulnerabilities, therefore there is a high level of information readily available on how to mount and successfully undertake these forms of attacks.
- Wherever possible, do not allow the appending of file paths as a variable. File paths should be hard-coded or selected from a small pre-defined list.
- Where dynamic path concatenation is a major application requirement, ensure input validation is performed and that you only accept the minimum characters required, for example, "a-Z0-9", and that you filter out and do not allow characters such as ".." or "/" or "%00" (null byte) or any other similar multifunction characters.
- It's important to limit the API to only allow inclusion from a directory or directories below a defined path.