Local File Inclusion
Description
This application is vulnerable to Local File Inclusion (LFI), a security flaw that allows attackers to include files from the server's filesystem through manipulated input parameters. The vulnerability occurs when user-supplied input is passed directly to file inclusion functions (such as include, require, or file_get_contents) without proper validation or sanitization. Attackers can exploit this weakness to access sensitive files, execute arbitrary code, or compromise the application.
Remediation
Implement the following security measures to remediate this vulnerability:
1. Use a whitelist approach: Define an array of allowed filenames or identifiers and validate all user input against this list.
// PHP Example - Whitelist approach
$allowed_files = ['home', 'about', 'contact'];
$page = $_GET['page'] ?? 'home';
if (in_array($page, $allowed_files, true)) {
include "pages/{$page}.php";
} else {
include "pages/error.php";
}2. Sanitize and validate input: Remove or reject directory traversal sequences (../, .\) and null bytes from user input.
// PHP Example - Input sanitization
$file = basename($_GET['file']); // Removes directory paths
$file = str_replace(['../', '..\\'], '', $file);
include "templates/{$file}";3. Disable dangerous PHP configurations: Set allow_url_fopen and allow_url_include to Off in php.ini to prevent remote file inclusion.
4. Use absolute paths: Construct file paths using absolute paths and avoid concatenating user input directly into file paths.
5. Implement proper access controls: Ensure the web server process runs with minimal privileges and cannot access sensitive system files.