2

LFI: Local file inclusion.

After going through many tutorials I have two things I can/t figure out:

  1. checking the vulnerability: I don't understand what makes a website vulnerable or not. For example, in the stackexchange network itself we can make changes in the url:

https://security.stackexchange.com/questions/ask <-- for asking a question. https://security.stackexchange.com/tags <-- tags

so I can go to any location in the site which means it is vulnerable to LFI, right?

  1. Is this vulnerability specific to sites run on linux/unix? what if the site doesn't contain /etc/psswd directory would it be vulnerable.(What if there is no such directoryin the site)
Mohammad
  • 207
  • 3
  • 10

1 Answers1

10

The idea of a Local File Inclusion issue is that you can use the web application to load up files on the filesystem that either shouldn't be available (e.g. things outside the web root) or files within the webroot that shouldn't be loaded up inside a page.

So for example

http://example.com/file.php?file=main_page.php

in this application the file parameter is used to specify the page that the application should load up, in this case main_page.php. If the attacker can change it to

http://example.com/file.php?file=../../../etc/passwd

he can get access to that file from the system, which could be useful for him in attacking the system. Alternatively he might be able to load a config file which contains application/database passwords.

In terms of vulnerability, any web application language/framework could suffer from this, but PHP does seem to be particularly prone to this and Remote File Inclusion issues.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221