How To Spot and Fix LFIs/RFIs

Write your "How To" regarding anything you are comfortable with and you feel it will help the forum members.

NOTE :: All threads started here will appear only after the approval from Administrator
Post Reply
Annex
Posts: 8
Joined: Mon Oct 08, 2007 6:00 pm

How To Spot and Fix LFIs/RFIs

Post by Annex »

LFI stands for Local File Inclusion. This is the act of inserting the source of a file into the source of a PHP script using the function Include() or Require(), while the file and the script are on the same server. RFI stands for Remote File Inclusion. As you may have guessed RFI is the act of inserting the source of a file into the source of a php script using the function Include() or Require(), while the script and file are on different servers.

How is this Dangerous?

Local and Remote File inclusions allow malicious users to run php scripts that give them access to php shells, where they can find database information and use it to further their power in the server, with intentions of causing damage. Some popular phpshells are c99 and r57.

How do I find these vulnerabilities?

These vulnerabilities usually occur when someone is using a variable in an include function. For the script to be vulnerable, the variable that is being included cannot be define in the lines above the include statement. By using the _GET php variables, a malicious user will insert the url to the remote/local script as the variable, and then not being defined above, php automatically assumes that that is the variable and takes the data. Variables like these are common with open source applications, and people who don't have the time to program properly.

There are some on my server, How can I fix these.

There are several ways to fix these File Inclusions. One is to have the same _GET name to be a different useless variable. Another is to define the variable above the call in the script. 3rd thing would be to have the script die if the variable isn't set at a certain point.

There are some on applications I use, what should I do.

Approach the vendor of the applications and point out the flaw in his/her programming, then provide them with the patched version that isn't vulnerable.


Image
SHAdmin
Posts: 2089
Joined: Sat Dec 18, 2004 11:28 am
Contact:

Post by SHAdmin »

Thank you for sharing such a great 'How To'.

30 points have been credited into your account
Post Reply