Acunetix - Local File Inclusion

[goestin820]

Target URL	http://testphp.vulnweb.com
Target Description	test
Severity	High

Affects

http://testphp.vulnweb.com/showimage.php

Attack Details

URL encoded GET input file was set to showimage.php
Pattern found:

<?php
// header("Content-Length: 1" /*. filesize($name)*/);
if( isset($_GET["file"]) && !isset($_GET["size"]) ){
        // open the file in a binary mode
        header("Content-Type: image/jpeg");
        $name = $_GET["file"];
		// restrict urls
        if (filter_var($name, FILTER_VALIDATE_URL)) {
        	exit();
        }
        $fp = fopen($name, 'rb');
        // send the right headers
        header("Content-Type: image/jpeg");
        // dump the picture and stop the script
 ... 

HTTP Request

GET /showimage.php?file=showimage.php&size=160 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: testphp.vulnweb.com
Connection: Keep-alive

Vulnerability Description

This script is possibly vulnerable to file inclusion attacks.
It seems that this script includes a file which name is determined using user-supplied data. This data is not properly validated before being passed to the include function.

Impact

It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with the privileges of the web-server.

Remediation

Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list.
For PHP, the option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. It is recommended to disable this option from php.ini.

---

References:

• PHP - Using remote files
• OWASP PHP Top 5
• Remote file inclusion