2. 2
Local File Inclusion (LFI) / Remote File Inclusion (RFI)
LFI - Local File Inclusion
Local File Inclusion ( LFI ) is a method of including files on a server
through a Modified Special HTTP request. This vulnerability can be
exploited using a Web Browser and can be very easy to exploit.
The vulnerability occurs when a user-supplied data without verifying the
file type and content on the server side, ‘inclusion type’ (like, include() ,
require() etc.) .
Mostly these attacks are accompanied by Directory Transversal attacks
which can reveal some sensitive data leading to further attacks.
RFI - Remote File Inclusion
RFI is an abbreviation for Remove File Inclusion and is quite similar to
LFI, Remote File Inclusion ( RFI ) is a method of including Remote
files(present on another server) on a server through a Modified Special
HTTP request.
This vulnerability can be exploited using a Web Browser and it is very
easy to exploit.
The vulnerability occurs when a user-supplied data without sanitizing is
provided to an ‘inclusion type’ (like, include (), require () etc.)
4. LFI -Example
Change one of the value of the file you
want to include.
Let’s say we want to see all of the users, so
we need to include users file which
located at /etc/passwd.
4
5. 5
LFI/RFI Prevention
Protection
To Prevent LFI/RFI, apply whitelist to the
inclusion system file.
Example:
$allowed_files = array('../includes/front/header.php','../includes/front/footer.php');
$include_file = <string with file/path>; //EG '../includes/front/header.php'
if (in_array($include_file,$allowed_files && file_exists($include_file)) {
require_once($include_file);
}