April 26, 2023 / By Securium Solutions
File inclusion vulnerability allow an attacker to read, include and even execute files on the server that are not intended to be accessible. These vulnerabilities are most common in web applications but they can also exist in desktop or mobile applications.
These vulnerabilities occurs most commonly through parameters (such as file path or URLs) used by an application to load or execute files. If the application fails to sanitize any malicious user input either completely or partially, the attacker could modify the input to access unintended files. The attacker could access any file or directory that the vulnerable application has access privilege to.
This could lead to the disclosure of sensitive information like user credentials, logs files, configuration files, financial data and source code. Potentially, the attacker might also be able to modify the contents of the files on the server. In some cases, an attacker can also execute arbitrary code on the server which could give the attacker complete control of the vulnerable server. The attacker could also perform Denial of Service by overwhelming the server resources or exploiting a known vulnerability in the server.
Types of file inclusion vulnerability.
Local File Inclusion (LFI) and Remote File Inclusion (RFI) are two types of file inclusion vulnerability. The main difference between them is that in LFI vulnerability the attacker can only read and execute local files on the server while in RFI the attacker can also force the server to include and execute files from a remote server. RFI are harder to discover due to their nature.
What is the difference between LFI and Path Traversal?
While these two vulnerabilities appear to be the same, they have a primarily difference. LFI vulnerability allows an attacker to access and execute a file but path traversal vulnerability allows an attacker to only access (but not execute) a file.
Some mitigations for this vulnerability includes
1) Application developers should sanitize and validate any user input before loading files from the server.
2) File access should be restricted to only those files and directories required for the function.
3) User input should be checked to ensure that only expected characters and words are processed.
4) Regular security assessments should be performed.
Author
Karan
Cyber Security Intern
