Detectify
Knowledge Base

Back to Knowledge Base

Support Center

Local File Inclusion / Path Traversal

Last Updated: Jul 25, 2016 11:48AM CEST

Local file inclusion (LFI) and path traversal vulnerabilities occur when user-supplied data is able to probe the underlying file system of the server. In other words, an attacker can, among other things, read files from the server.

What can happen?

Due to the nature of this vulnerability, there is a wide range of consequences it can have when exploited. At least one of the following should be expected:

  • Listing of filenames and/or directories on the file system

  • Ability to read the contents of arbitrary files

  • Denial of service of the web application

  • Denial of service of the full server

  • Probing of other devices on the intranet (NAT / Firewall bypass)‚Äč

Example of local file inclusion

In PHP, a vulnerable script for including different web pages could look like this:

$file = $_GET['file'];
if(isset($file))
{
    include("pages/$file");
}
else
{
    include("index.php");
}

A sample payload to execute the flaw could look something like this:

http://example.com/index.php?file=../../../../../etc/passwd 

This (../../../../) forces the file system to traverse back to the root of the server (instead of the expected “pages” directory in the web root), append /etc/passwd and include it, thus leaking the local users on the machine.

Remediation

Avoid passing any user data to the filesystem. If you have to, you need to maintain a whitelist of authorized file names and avoid opening any files other than those on the whitelist.

Resources

Related articles

support@detectify.com
http://assets2.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete