Local file inclusion (LFI) and path traversal vulnerabilities occur when user-supplied data is able to probe the underlying file system of the server. In other words, an attacker can, among other things, read files from the server.
What can happen?
Due to the nature of this vulnerability, there is a wide range of consequences it can have when exploited. At least one of the following should be expected:
- Listing of filenames and/or directories on the file system
- Ability to read the contents of arbitrary files
- Denial of service of the web application
- Denial of service of the full server
- Probing of other devices on the intranet (NAT / Firewall bypass)
Example of local file inclusion
In PHP, a vulnerable script for including different web pages could look like this:
$file = $_GET['file']; if(isset($file)) { include("pages/$file"); } else { include("index.php"); }
A sample payload to execute the flaw could look something like this:
http://example.com/index.php?file=../../../../../etc/passwd
This (../../../../) forces the file system to traverse back to the root of the server (instead of the expected “pages” directory in the web root), append /etc/passwd and include it, thus leaking the local users on the machine.
Remediation
Avoid passing any user data to the filesystem. If you have to, you need to maintain a list of authorized file names and avoid opening any files other than those on the allowed list.