Remote File Inclusion
Description
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. OWASP
In a Remote File Inclusion, the content of the remote file is fetched and executed. This allows attackers to run arbitrary codes on the server. Furthermore, this causes a Server-side request forgery issue.
Recommendation
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain an allow list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path. OWASP
References
- OWASP: Testing for Remote File Inclusion
- Wikipedia: File inclusion vulnerability
- CWE-98
- CWE-20
- OWASP 2021-A3
- CWE-77
- OWASP 2017-A1
- OWASP 2021-A10
- CWE-918