Loading ...
Try HTTPCS +33 1 85 09 15 09

File Inclusion (LFI / RFI) vulnerability

What is a LFI/RFI vulnerability and how to prevent it?

This type of vulnerability can be found in a web application which uses user inputs to operate.

14 days Free trial

No Commitment

OWASP ranking

What is a Local File Inclusion vulnerability?

There are two types of file inclusion vulnerabilities: Local File Inclusion and Remote File Inclusion. The difference between them lies in the origin of the included file.

Local File Inclusion (LFI)

In a Local File Inclusion (LFI) vulnerability, the included file is already present on the server that hosts the application targeted by the attack. The aim of the attacker will be to read sensitive files, containing critical information like configuration files for example.

If you want to know more about this type of vulnerability I invite you to consult the following article on our site.

Remote File Inclusion (RFI)

Unlike the previous flaw, the Remote File Inclusion (RFI) aims to include a remote file on the victim's server. To do this the attacker will include the URL linked to the malicious file in one of the GET parameters of the URL. The file will be executed by the victim's server.

Security flaws

PHP code example :

if (isset($_GET['CITY'])) {
    $city = $_GET['CITY'];
include($city . '.php');

This code is vulnerable because the file to be included completely depends on the GET parameter contained in the URL and thus modifiable. There is not any check and the attacker can even enter paths to go up in the tree of the vulnerable web application. Don’t forget that PHP and Apache are an access to the whole system because the 80 port is exposed.

This vulnerability allows an attacker to read and sometimes run files on the victim machine. This can be very dangerous because if the web server is incorrectly set and works with high privileges, the attacker may access to sensitive information. If the attacker is able to put a code on the web server by other means, he may run commands on the victim's machine.

Secure your sites

How to protect yourself against File inclusion vulnerabilities ?

The best solution is to check user inputs thanks to conditions to ensure that what has been entered is consistent with what you want.

Web Vulnerability Scanner of HTTPCS

How to detect TOP 10 OWASP vulnerabilities?

Detect security flaws on your website or web application thanks to the Web Vulnerability Scanner of HTTPCS. This online security tool allows you to detect any flaws you have (top 10 OWASP, CVE and other vulnerabilities implemented in the robot) to ensure the best protection of your site on a daily basis. Easily schedule automated audits, discover your vulnerabilities and find out what patches to apply to avoid being hacked.

Test for free the LFI Scanner

14 days Free trial

No Commitment