Remote File Inclusion

[rmikehodges]

/ Title: Remote File Inclusion Description: Remote File Inclusion Vulnerability /

• LAST UPDATED DATE: 12 - 13 -15
• LAST UPDATED BY: Mike Hodges

  Summary

A file inlcusion vulnerability that allows an attacker to include a file located at an external URL

Capabilities and Risk

• Allows attackers to execute arbritrary code on the server that could potentially lead to complete compromise of the system

  Detection

• Identify scripts that take filenames as parameters
• Pass an external url to a file as parameter to the application and verify that the application rendered/executed the file
• If not immediately successful, attempt to identify the filter being used and craft input that attempts to bypass it

  Remediation

Properly validate all input being passed to file inclusion methods.

References

• https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion
• http://securityxploded.com/remote-file-inclusion.php
• http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion

  Exploitation

--In progress--