In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible.
Those of you reading this blog series might notice a lot of similarities between the remote file inclusion vulnerability and the local file inclusion and path traversal vulnerability discussed previously. Their root causes are similar, as are the recommended fixes.
In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible. Or better yet, web applications should be designed in such a way as to prevent it from occurring in the first place.
In this episode, we will learn:
The remote file inclusion vulnerability takes advantage of the "dynamic file include" command or mechanism that exists in most programming frameworks. The ability is intended to allow developers to use files located on a secondary server to execute activities on the application server. Obviously, this can be dangerous in the wrong hands.
How attackers exploit this ability is by finding any website or application that allows uncontrolled user input, which can come from things like HTTP headers or input areas in interactive forms. They use that as a launching point to generate file include commands.
For example, if a site uses the GET function to load pages, such as page = request.getParameter("page'); include page; then an attacker could send in a query using the page command, but with a URL of a site they control and file path to the file they want to execute. The query then gets passed to the server and the remote file is executed on the host. The activity is allowed because it is now part of the trusted app.
The level of danger posed by remote file inclusion is extremely high. Unlike with local file inclusion vulnerabilities, where files an attacker runs must exist on a host, and also be found by the attacker using trial and error, there are no restrictions like that with remote file inclusion. Obviously, an attacker knows the location of the files they want to exploit since they likely exist on their own machines, or sites they control. The files can also be hand chosen by them, and don't need to exist on the target machine prior to the exploit. The file might even consist of scripts specifically written to exploit a remote host.
In short, once an attacker is able to find and exploit a remote file inclusion vulnerability, there is nothing to stop them from gaining total control over an application or even an entire site. Certainly, no data stored there will be safe from their incursion.
Never allow user input to pass directly to a file inclusion command for execution. Instead, use an indirect reference map of commands and only execute commands from there. An indirect reference map maps untrusted user input to a set of hardcoded trusted values on the server. Be sure to whitelist any areas where users can input data, and don't forget to include HTTP headers, form parameters and even cookies in that list. Doing that will close any window that an attacker looking to create a file include command can use.
As a bonus, proper sanitization and validation of user-generated content and employing reference maps to execute commands will not only squash the remote file inclusion vulnerability, but quite a few others as well, including this bug's dangerous cousin, the local file inclusion and path traversal exploit.
For further reading, you can take a look at the OWASP reference guide for remote file inclusion exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.