A file inclusion allows the attacker to include arbitrary files into the web application, resulting in the exposure of sensitive files. This article describes how you can efficiently prevent file inclusions.

File Inclusion Security Assessment

Security Assessment File Inclusion

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:N /MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

File Inclusion Vulnerability Information

A local or remote file inclusion allows the attacker to include arbitrary files into the web application, resulting in the exposure of sensitive files. In some cases, the attacker can execute malicious code on the webserver and take over the machine entirely.

How to Prevent File Inclusion

A local/remote file inclusion exists when the user input is not validated correctly and is passed to the PHP functions include include_once, require, require_once, fopen, readfile, etc. Therefore never include files directly from variables that the user can manipulate. The following code example shows one possibility of how to validate users’ input securely.

Validating User Input

<?php

if(isset($_GET['page']) and $_GET['page'] == 'home') {
    include('home.php');
}
elseif(isset($_GET['page']) and $_GET['page'] == 'news') {
    include('news.php');
}
// some other pages

?>

The best way to avoid this vulnerability is to hardcode all files you need to include, as the example above suggests. If you really need the inclusion of dynamic files, you could only allow characters that are needed like a-zA-Z and disallow anything else like ./\. A maybe even better solution is to maintain a whitelist of files that are allowed to be included. Any other file that the user requests can be rejected.

Note: If you try to implement your own filters and pass the filtered user input directly to the various include functions, ensure that your filters can not be bypassed using methods like string encoding.

Avoid Remote File Inclusion

If you do not need the inclusion of remote files, you can set “allow_url_include=off” in your php.ini file to disable the inclusion of remote files.

See if Your Web App or API Has Security Vulnerabilities

SCAN FOR FREE NOW