Local File Inclusion (LFI)
Description
Local File Inclusion (LFI) vulnerability allow attacker to execute some program/script available on Local Server.
for eg.,
http://site.com/?include=register.php
This is implemented in php at server as,
$include = $_GET['include'];
include('pages/' . $include);
This is Unsafe way of implementation as it is not validating user's input.
Then, the attacker may supply any other local file, which will be executed by the server.
http://site.com/?include=admin/reset.php
LFI and Path Traversal look similar, but they are not. LFI can execute a file, whereas Path Traversal can only read the content of the file.
Impact
- Sensitive internal information may get compromised.
- Internal hosts can be accessed.
- Impact mainly depends on what can attacker access there, it may be limited to some information disclosure, or it may lead to a full compromise of the server.
- May lead to Remote Code Execution(RCE).
Prevention
- Never trust the user, always filter user input and then give it to further function.
- Instead of using file path in URL, Store it in some database and assigned numeric id to it, and use the ID in URL.
- Prefer whitelisting files that you want.