Local File Inclusion

Impact: High

Description

Local File Inclusion (LFI) is a vulnerability that allows attackers to include local files, exploiting dynamic file inclusion mechanisms in the target application. This occurs due to the use of user-supplied input without proper validation. The content of the local file is reflected in the response, and if containing code, it might be executed by the application.

Recommendation

To mitigate LFI vulnerabilities, avoid passing user-submitted input to filesystem/framework APIs. If unavoidable, maintain an allow list of files that may be included, using an identifier to access selected files. Reject any request with an invalid identifier to eliminate attack surface.

References

CWE-20
CWE-22
CWE-98
OWASP 2021-A3
OWASP: Testing for Local File Inclusion
Wikipedia: File inclusion vulnerability

👉 You might also like:

Local File Inclusion

Description

Recommendation

References

Remote File Inclusion - Vulnerability

Remote File Disclosure - Vulnerability

Remote URL Inclusion - Vulnerability

Apache 2.4.49 Path Traversal and RCE - CVE-2021-41773, CVE-2021-42013

This issue is available in SmartScanner Professional