Invicti identified a Local File Inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.
Invicti confirmed this issue by reading some files from the target web server.
- Gather usernames via an
- Harvest useful information from the log files, such as
- Remotely execute commands by combining this vulnerability with some other attack vectors, such as file upload vulnerability or log injection
- If possible, do not permit appending file paths directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
- If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
- It is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure any potential attack cannot perform a directory traversal attack.