Local File Inclusion (LFI) vulnerability allow attacker to execute some program/script available on Local Server.
This is implemented in php at server as,
$include = $_GET['include']; include('pages/' . $include);
This is Unsafe way of implementation as it is not validating user's input.
Then, the attacker may supply any other local file, which will be executed by the server.
LFI and Path Traversal look similar, but they are not. LFI can execute a file, whereas Path Traversal can only read the content of the file.
- Sensitive internal information may get compromised.
- Internal hosts can be accessed.
- Impact mainly depends on what can attacker access there, it may be limited to some information disclosure, or it may lead to a full compromise of the server.
- May lead to Remote Code Execution(RCE).
- Never trust the user, always filter user input and then give it to further function.
- Instead of using file path in URL, Store it in some database and assigned numeric id to it, and use the ID in URL.
- Prefer whitelisting files that you want.