Local or Remote File Inclusion or Read

Summary

LFI/RFI allows an attacker to include local or remote files into a web application, leading to potential information disclosure, code execution, or server compromise.

Description

Local File Inclusion (LFI) and Remote File Inclusion (RFI) are vulnerabilities that occur when a web application allows user-controlled input to specify a file to be included or executed. Attackers can exploit this vulnerability to disclose sensitive information, execute arbitrary code, or compromise the server.

Remediations

Use an Allow-List of allowed directories application users may read files from.
If possible, disable file inclusion features for the application users.

References

https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion

https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion

hackstack

Anatomy

Usually follows

SQL Injection

Directory Traversal

Server Side Request Forgery (SSRF)

Usually precedes

Authentication Bypass

Insecure Deserialization

Remote Code Execution (RCE)

Affected components

Server