Local File Inclusion (LFI)

Description

During the scan, Kayran managed to find the Local File Inclusion (LFI) vulnerability.
This Local File Inclusion or LFI, is a vulnerability based on the way of getting or processing local files on the server by the local path.
In most cases, it’s caused by a PHP “include” function. The attacker has to upload the malicious script to the target server to be executed locally.

An attacker could exploit this vulnerability by finding certain, possibly sensitive files by their paths in the vulnerable parameter. An attacker may use these files to conduct further attacks.

LFI means that even unauthorized personal has access to files on the system. Attackers will abuse it to include files on a server through the web browser. Allowing him to manipulate the input and inject path traversal characters, and, possibly include other files from the webserver. The best way to deal with this vulnerability will be to “hardcode” all files you that needs to be included. Example of a code vulnerable to LFI :
if (isset($_GET[‘file’])) {
include($_GET[‘file’]); }

Recommendation

To prevent this vulnerability from happening, make sure that the input coming from the user is valid. Also, that it does not contain any unwanted, potential malicious inputs from the user by whitelisting the files in question.

References

https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/

< Return to all Vulnerabilities


APT vs. ATP

In this article we will talk about APT vs. ATP. In other words, Advanced Persistent Threat and Advanced Threat Protection and the context between these

Read More »

Exposing the GIT

Let’s start with defining the meaning of GIT. GIT – is an open-source system which we use as a tool to store data and information

Read More »