888 B
888 B
title |
---|
Local File Inclusion |
Local File Inclusion
A vulnerability in the application caused by the programmer requiring a file input provided by the user and not sanitizing the input before accessing the requested file. This results in a file being included where it should not of been.
Example local file inclusion attacks
A website allows you to view PDFs as download.php?file=myfile.php
, due to a lack of proper checking a malicious user is able to request /etc/passwd and get sensitive configuration information from the web server.
Defending your website from local file inclusion attacks in PHP
<?php
if(basename($_GET['file]) !== $_GET['file']) {
die('INVALID FILE REQUESTED');
}