Severity: High Test name: Local File Inclusion (LFI)
Local File Inclusion is an attack applicable to web applications that dynamically include local files or scripts. When such a web application takes user input (URL, parameter value, etc.) and passes it into file include commands, the web application might be tricked into including local files with sensitive information. As a result, sensitive information can be shown for the attacker. In addition, if your application allows uploading files without proper validation, the attacker is able to upload a file with a malicious code to the server and execute that code. But in this case, the attacker should know the uploaded file path.
The issue can be found in the source code on the server side.
The most effective solution is to avoid passing user-submitted input to any file system / framework API.
If you have a limited number of the allowed files to include, all of them can be stored as corresponding records in long time storage (for example, database) with specific identifiers. Such identifiers can be used as the request parameters to identify and include only allowed files.
If it is not possible to list the allowed files, and the user input cannot be avoided, ensure that the supplied values are valid. Sanitize the input by creating a list of trusted files. Use the whitelist approach.