File inclusion vulnerability
File inclusion vulnerability
Description
A file inclusion vulnerability is a type of web vulnerability that usually affects programming languages that rely on a scripting run time. This vulnerability arises when an application constructs a path to executable code using a user controlled argument. This construction allows the attacker to dictate which file gets executed during runtime.
Unlike a path traversal attack, where unauthorized access to the file system allows read-only file access, a file inclusion vulnerability allows for the inclusion and the execution of code at runtime. Successfully exploiting this vulnerability may allow for remote code execution, unauthorized file access and sensitive information leakage.
File inclusion vulnerabilities can be divided into two major categories:
- Local File Inclusion (LFI): In this scenario, an attacker is limited to local files present on the web server, depending on the programming language and the configuration, it may be possible to escalate this attack into a remote code execution using special schemes like
php://. - Remote File Inclusion (RFI): Although not very common in modern web apps, if present, this vulnerability may allow for remote code execution by including malicious.
<?php
$page = $_GET['page'];
include($page . '.php');
?>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%
String page = request.getParameter("page");
include(page + ".jsp");
%>
<!DOCTYPE html>
<html>
<head>
<title>Test file</title>
</head>
<body>
<!--#include file="$USER_LANGUAGE"-->
</body>
</html>
Recommendation
To address File Inclusion vulnerabilities, consider the following recommendations:
- Avoid Dynamic File Inclusion from user input: unless necessary, avoid calling
include(),require()or similar functions with user controlled input. - Input Whitelisting: Use whitelists to only allow known and expected input values.
- Input Validation and Sanitization: Sanitize user input from special characters that may allow for path traversal like
../ - Use File Mapping Array: Create an array that assigns unique indexes to allowed files. Each index corresponds to a specific file within your application.
<?php
// Get the requested page from the query string
$page = isset($_GET['page']) ? $_GET['page'] : 'home';
// Define a whitelist of allowed pages
$allowed_pages = ['home', 'about', 'contact'];
// Check if the requested page is in the whitelist
if (in_array($page, $allowed_pages)) {
// Include the valid page
include($page . '.php');
} else {
// Redirect to a default page or display an error message
include('error.php');
}
?>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.util.List" %>
<%
// Get the requested page from the query string
String page = request.getParameter("page");
// Define a whitelist of allowed pages
List<String> allowedPages = List.of("home", "about", "contact");
// Check if the requested page is in the whitelist
if (allowedPages.contains(page)) {
// Include the valid page
%><jsp:include page="<%= page %>.jsp" /><%
} else {
// Redirect to a default page or display an error message
response.sendRedirect("error.jsp");
}
%>
<!DOCTYPE html>
<html>
<head>
<title>Test file</title>
</head>
<body>
<!--#if expr='"$USER_LANGUAGE" =~ /^(en|fr|es)$/ -->
<!--#include file="/path/to/allowed_languages/$USER_LANGUAGE"-->
<!--#else -->
<p>Invalid language selection.</p>
<!--#endif -->
</body>
</html>
Links
Standards
- CWE_TOP_25:
- CWE_22
- GDPR:
- ART_5
- ART_32
- PCI_STANDARDS:
- REQ_6_5
- REQ_11_3