Remote File Disclosure

Description

Remote File Disclosure (RFD) is a vulnerability that allows an attacker to disclose files located on remote servers, exploiting dynamic file inclusion mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

In a Remote File Disclosure issue, the server fetches the remote URL and includes the content of the remote file in the response. This can lead to unauthorized access to sensitive information and poses a Server-side request forgery issue.

Recommendation

To mitigate RFD vulnerabilities, avoid passing user-submitted input to URL inclusion mechanisms. If unavoidable, maintain an allow list of trusted URLs that may be included, using an identifier to access selected resources. Reject any request with an invalid identifier to eliminate attack surface.

References

• OWASP: Testing for Remote File Inclusion
• Wikipedia: File inclusion vulnerability
• CWE-20
• CWE-918
• CWE-98
• CAPEC-193
• OWASP 2021-A10
• OWASP 2021-A3

Related Issues

• Remote File Inclusion - Vulnerability
• Remote URL Inclusion - Vulnerability
• Local File Inclusion - Vulnerability
• WordPress Plugin File Groups 1.1.2 SQLI - Vulnerability

Tags:

File Inclusion

SSRF

Injection