Local File Inclusion (LFI)

Description

Local File Inclusion or LFI is a vulnerability based on the way of getting or processing local files on the server by the local path. Most cases of the caused cases by PHP include function.

The attacker has to upload the malicious script to the target server to be executed locally.

Bussines Impact

An attacker could exploit this vulnerability by searching files by their path in the vulnerable parameter.

Recommendation

To prevent this vulnerability from happening, make sure that the input coming from the user is correct and does not contain any unwanted inputs from the user by whitelisting specific files.

More Details

Local file inclusion means unauthorized access to files on the system.

Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser, allowing the attacker to manipulate the input and inject path traversal characters, and include other files from the webserver.

The best way to mitigate this vulnerability will be to hardcode all files you need to include.

Reference

https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/

What is Kayran

Kayran scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 9000 vulnerabilities.Kayran’s mission is to make

Read More »

Passwords 101

Unlike basketballs, “passwords” are things we don’t want to be passed around, especially in a society built around the idea that “mystery” is appealing. We

Read More »

HAR Files

In this article, I’ll talk and explain about HAR Files, so if you don’t know what they are, or, what do we use them for,

Read More »