A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time . This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack , in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement .
12-670: [REDACTED] Look up RFI in Wiktionary, the free dictionary. RFI may refer to: Organisations [ edit ] Radio France Internationale , a French international radio broadcaster RFI România , the radio's branch in Romania, its biggest international branch Rete Ferroviaria Italiana , the Italian railway infrastructure manager Rifle Factory Ishapore , an arms manufacturing facility at Ichapore, India Rowing Federation of India ,
24-547: A file for execution. Most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has a directive which, if enabled, allows filesystem functions to use a URL to retrieve data from remote locations. The directive is allow_url_fopen in PHP versions <= 4.3.4 and allow_url_include since PHP 5.2.0. In PHP 5.x this directive
36-562: A parliamentary procedure See also [ edit ] Radio-frequency identification or RFID, radio frequency identification Topics referred to by the same term [REDACTED] This disambiguation page lists articles associated with the title RFI . If an internal link led you here, you may wish to change the link to point directly to the intended article. Retrieved from " https://en.wikipedia.org/w/index.php?title=RFI&oldid=1223177112 " Category : Disambiguation pages Hidden categories: Short description
48-476: Is different from Wikidata All article disambiguation pages All disambiguation pages RFI [REDACTED] Look up RFI in Wiktionary, the free dictionary. RFI may refer to: Organisations [ edit ] Radio France Internationale , a French international radio broadcaster RFI România , the radio's branch in Romania, its biggest international branch Rete Ferroviaria Italiana ,
60-399: Is different from Wikidata All article disambiguation pages All disambiguation pages Remote File Inclusion Remote file inclusion ( RFI ) occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application. Local file inclusion ( LFI )
72-487: Is disabled by default, in prior versions it was enabled by default. To exploit the vulnerability an attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this vulnerability all user input needs to be validated before being used. Consider this PHP script which includes a file specified by request: The developer intended to read in english.php or french.php , which will alter
84-434: Is similar to a remote file inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution. This issue can still lead to remote code execution by including a file that contains attacker-controlled data such as the web server's access logs. In PHP the main cause is due to the use of unvalidated user-input with a filesystem function that includes
96-402: Is to use a predefined Switch/Case statement to determine which file to include rather than use a URL or form parameter to dynamically generate the path. JavaServer Pages (JSP) is a scripting language which can include files for execution at runtime. The following script is vulnerable to a file inclusion vulnerability: A Server Side Include is very uncommon and are not typically enabled on
108-494: The Italian railway infrastructure manager Rifle Factory Ishapore , an arms manufacturing facility at Ichapore, India Rowing Federation of India , the central body for the sport of rowing in India Other uses [ edit ] Radio-frequency interference Remote File Inclusion , a type of web application exploit Request for information , a business process Request for information (parliamentary procedure) ,
120-563: The application's behavior to display the language of the user's choice. But it is possible to inject another path using the language parameter. The best solution in this case is to use a whitelist of accepted language parameters. If a strong method of input validation such as a whitelist cannot be used, then rely upon input filtering or validation of the passed-in path to make sure it does not contain unintended characters and character patterns. However, this may require anticipating all possible problematic character combinations. A safer solution
132-444: The central body for the sport of rowing in India Other uses [ edit ] Radio-frequency interference Remote File Inclusion , a type of web application exploit Request for information , a business process Request for information (parliamentary procedure) , a parliamentary procedure See also [ edit ] Radio-frequency identification or RFID, radio frequency identification Topics referred to by
SECTION 10
#1732852426014144-403: The same term [REDACTED] This disambiguation page lists articles associated with the title RFI . If an internal link led you here, you may wish to change the link to point directly to the intended article. Retrieved from " https://en.wikipedia.org/w/index.php?title=RFI&oldid=1223177112 " Category : Disambiguation pages Hidden categories: Short description
#13986