Remote File Inclusion

Overview

Remote file inclusion is made possible when the website uses unsanitized user input in commands to include code from other files into the main code for the web page. This can potentially allow the attacker to include code of his own choosing.

What makes a site vulnerable?

Maintaining all the code for a webpage or website in a single file can sometimes become cumbersome. An convenient alternative is to separate the code into multiple files and then bring these files together with 'include' commands. An 'include' command takes as an argument the name of the file to include. The path to the file may be relative or an absolute URL. If user input is used in the construction of this path, then the user may be able to modify the path to point to a file hosted on his own website. Then the attacker can put any code he desires into the file, to be included and executed when the affected web page is viewed.

Impact of the attack

By being able to run code of his choosing on the website, the attacker will be able to exercise a high degree of control over the website and the web server on which it runs. The attacker will probably be able to make any changes he likes to the website, access its data, and upload other code to the server. As an example, the attacker could carry out a Web Proxy Autodiscovery Protocol Hijacking attack and redirect all traffic from a network proxy.

Preventing the attack

The attack can be prevented by forbidding the use of user-derived input in the include path and file name. It will generally not be necessary to feed in user input. Instead, the user input could be used to select from a list of possible file names. If user input must be used, then the input should first be filtered before inclusion. This filtering should pass only input which adheres to a format known to be correctly handled by the website.