Remote file inclusion (RFI) occurs when the application executes a file located on an external server, which is usually controlled by the attacker. This enables the attacker to execute arbitrary code as a part of the application, in effect allowing them to do anything that the application and the application platform can do. It could potentially result in the attacker gaining complete control of the system. RFI affects PHP applications.
Remote file inclusion allows an attacker to execute arbitrary code with great ease. Usually, RFI is exploited by specifying a URL to the attacker's script of choice as a part of the HTTP request. The vulnerable application loads the malicious script from the URL and executes it as a part of the application. The attacker will typically use a "web shell" as the attack script and as a result gain full control of the application platform. From there, the attacker might leverage additional vulnerabilities to take full control of the server. Actually,the attacker usually has no need to go this far, because taking full control of the application platform will usually give them all the access they want. If there is something particularly valuable on the target network, the attacker can use the compromised server to pivot their way around the network and attack other machines on it.
RFI is extremely easy to exploit and to automate, which has led to RFI vulnerabilities being used to create powerful botnets in 2011. These botnets were used for numerous high-profile DDoS attacks. As a result, RFI became well known and a simple mitigation measure, disabling loading remote PHP scripts, became well known. At this point, RFI is relatively rare because most hosting providers know to disable loading external PHP scripts. RFI is still an extremely dangerous vulnerability that can be easily avoided by configuring PHP accordingly.
To prevent RFI, configure PHP for security by disabling remote file inclusion, and including files safely.
Disable remote file inclusion:
Include files safely:
To check for adequate protection against RFI, ensure that PHP is configured for security so that remote file inclusion is disabled, and files are included safely.
Files are included safely:
Computer Based Training Links
Use the following Computer Based Training courses for more background information about this type of vulnerabilities.
Creating Secure PHP Code
This course introduces best practices for developing secure PHP code. The course also identifies common PHP vulnerabilities that attackers can exploit to gain access to critical information. In addition, the course explains mitigation techniques that you can use to avoid common PHP vulnerabilities and write secure code. After completing this course, you will be able to describe the best practices for developing secure PHP code, explain common PHP vulnerabilities and learn mitigation techniques to avoid common PHP vulnerabilities and write secure code.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.
- For more information about Remote File Inclusion, see http://en.wikipedia.org/wiki/Remote_file_inclusion