Byte-ul Posted August 9, 2014 Report Share Posted August 9, 2014 What is it?Local file inclusion is where the file system of a Web application is traversed and a file is included where it should not have been (a common exposure attack).Remote file inclusion is where a file from another website is included into a Web application (commonly to execute malicious code).How do I prevent it?Both of these vulnerabilities only arise when dynamic paths are used (specifically, where user input is made apart of that dynamic path). They both require serious oversights of the Web developer, and yet they're both so simple to prevent.For LFI prevention, if you know the file name you're looking to include, then using the whitelist approach (LINK TO IT) (as described in section A) can be used to ensure that only verified files are included. If, on the other hand, you don't have a list of valid file names to include, then you can perform some basic sanitisation to prevent directory traversing. The basename() function can do just this:<?phpif(basename($_GET['file_name']) !== $_GET['file_name']) { // invalid file specified}The basename() function will evaluate its parameter and will return only the trailing name from it. Therefore, if a path is given (perhaps for an LFI test), the function will return only the file name or the last directory in the specified path. Neither of these return values would pass the above validation.You can prevent RFI in much the same way as in the above case. Also, as an extra preventative measure against RFI, you can also disable the allow_url_fopen directive to nullify the ability of referencing remote resources.Credits: http://www.hackforums.net/showthread.php?tid=4238146 Quote Link to comment Share on other sites More sharing options...
