Remote File Inlcusion(RFI)-page-1
A Remote File Inclusion is vulnerability often find in websites, in which an attacker is allowed to include remote files located on the other server. An attacker could thus include a malicious shell, located on some other location, in order to get access to the whole server, where the website is located.
File Inclusion is supported by most of the web languages such as PHP, ASP, ASP.NET Perl, JSP etc. It is done to create a module and then changing the content dynamically by including different files, not having to code the same thing again and again. For the sake of convenience we would take example of a PHP page and understand what Remote File Inclusion is.
Remote File Inclusion Attacks can lead to :
- Code Execution on Web Server
- Code Execution on Client Side
- Denial of Service (DoS) Attacks
- Data Theft
PHP in particular is mostly vulnerable to RFI, due to extensive use of file includes in PHP programming and due to default server configurations.
Following are the include statements which are used in PHP :
include() : Include a file, and if not found, generate a warning
require() : Inlcude a file, and if it is not found, generate a warning, and halt the script execution
include_once() : Identical to include, plus checks whether the file has already been included
require_once() : Identical to require, plus checks whether the file has already been included(required) php.ini contains the php settings and the directives that set the php settings at runtime. The allow_url_fopen and allow_url_inlcude directives enable network protocols like http:// which could be used with the statements such as include(), require(), include_once() and require_once().
So, RFI could only exist if the allow_url_fopen directive is 1 and in case of PHP>=5.2.0, the allow_url_include() should also be 1.
Let us say there is a vulnerable webpage which has the following code snippet :
$page = $_GET[‘page’];
In the first line of code, it takes the GET variable and stores it in a variable named page. In the second line, it includes the variable content and will try to display it contents.
The above code will work fine, as long as the GET content is of its own website.
What an attacker will do here, is instead of website’s content, such as first, second and third, he will try to include a remote URL, not located on the website’s server. In that case, the website, will take it as a normal input and will try to display its contents.
If content of attackerdomain.com is displayed on the website, then the website is vulnerable to Remote File Inclusion.