|You are here:|
File Inclusion attacks are of two types:
- Local File Inclusion (LFI). It consists of exploiting a directory-traversal vulnerability to include files that were not intended by the application. A common target is the famous /etc/passwd file.
- Remote File Inclusion (RFI). Same as LFI but by injecting a remote file (e.g. C99shell).
Proof of Concept
How to detect?
How to protect against it?
- Upgrade to the latest version of PHP
- Never trust user inputs. Always challenge the strings against whitelists and purify/sanitze content.