Remote File Disclosure
Description
Remote File Disclosure (RFD) is a vulnerability that allows an attacker to disclose files located on remote servers, exploiting dynamic file inclusion mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
In a Remote File Disclosure issue, the server fetches the remote URL and includes the content of the remote file in the response. This can lead to unauthorized access to sensitive information and poses a Server-side request forgery issue.
Recommendation
To mitigate RFD vulnerabilities, avoid passing user-submitted input to URL inclusion mechanisms. If unavoidable, maintain an allow list of trusted URLs that may be included, using an identifier to access selected resources. Reject any request with an invalid identifier to eliminate attack surface.
References
- CWE-20
- CWE-918
- CWE-98
- OWASP 2021-A10
- OWASP 2021-A3
- OWASP: Testing for Remote File Inclusion
- Wikipedia: File inclusion vulnerability