LFI is LOCAL FILE INCLUSION (LFI). LFI is a type of web-application security vulnerability. It is a method of including files on a
server through a Modified Special HTTP request. This vulnerability can
be exploited using a Web Browser and thus can be very easy to exploit.
Vulnerable Code:-
<?php
$page = isset($_GET['page']) ? $_GET['page'] : 'home';
require $page . '.php';
?>
The attacker could then do:
index.php?page=../secret
That would give us
/home/someone/public html/secret.php
Security –
1. From Array of Valid Pages
First of all you could have an array of valid pages, e.g.:
$pages = array(
'home',
'login',
'logout',
// etc.
if (!in_array($page, $pages) {
die('Invalid page');
}
2. Check Requested Values in a particular format
Another thing you could do is check that the requested le matches a particular format:
$file = str_replace('\\', '/', realpath($page . '.php'));
if (!preg_match('%^/home/someone/public_html/[a-z]+\.php$%',
$file)) {
die('Invalid page');
}
include $file;
3. Reject file names which contains . , .. or / (or \ under Windows)
4. Limit file names to basic alphanumeric characters
5. Append the include directory name and append the appropriate extension.
6. Use open_basedir() security
7. Use Strip_tags and htmlspecialchars Function
<?php
function cleanAll($input) {
$input = strip_tags($input);
$input = htmlspecialchars($input);
return($input)
; }
?>
Vulnerable Code:-
<?php
$page = isset($_GET['page']) ? $_GET['page'] : 'home';
require $page . '.php';
?>
The attacker could then do:
index.php?page=../secret
That would give us
/home/someone/public html/secret.php
Security –
1. From Array of Valid Pages
First of all you could have an array of valid pages, e.g.:
$pages = array(
'home',
'login',
'logout',
// etc.
if (!in_array($page, $pages) {
die('Invalid page');
}
2. Check Requested Values in a particular format
Another thing you could do is check that the requested le matches a particular format:
$file = str_replace('\\', '/', realpath($page . '.php'));
if (!preg_match('%^/home/someone/public_html/[a-z]+\.php$%',
$file)) {
die('Invalid page');
}
include $file;
3. Reject file names which contains . , .. or / (or \ under Windows)
4. Limit file names to basic alphanumeric characters
5. Append the include directory name and append the appropriate extension.
6. Use open_basedir() security
7. Use Strip_tags and htmlspecialchars Function
<?php
function cleanAll($input) {
$input = strip_tags($input);
$input = htmlspecialchars($input);
return($input)
; }
?>
0 comments:
Post a Comment