IBM X-Force Threat Research discovered a botnet-based local file inclusion attack targeting over 100 of its customers....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
What is a local file inclusion attack and how can this one be stopped?
The PHP coding language is vulnerable to a local file inclusion attack due to its frequent reliance on files stored on the server -- local files -- that include commands for taking in user input.
This vulnerability involves the local files on the Unix web server and occurs when an attacker injects malicious commands into a file. The target site executes whatever input is provided; the input can be either a file name or a URL address. Consider the file parameter in this example, which points to a file with malicious code, stored externally:
The parameter is taken into the following PHP code and the malicious file is included:
. . .
. . .
The attacker adds malicious input into the shell.php that retrieves unauthorized files in the same or a different directory.
More aggressive than this local file inclusion attack is the bot-based attack reported by IBM X-Force Threat Research. The attacker performs command injection to trap a Wget request that attempts to write a suspicious PHP file, shell.php, on the victim's machine.
The attacker uses the /proc/self/environ file, which usually contains environment variables, and which should be accessible only to root users, as the included file. A PHP script returning the word carbon in the MD5 form notifies the attacker that the exploitation of the vulnerability was successful.
The most effective solution for removing file inclusion vulnerabilities is to prevent users from passing input into the file systems and framework API. If this is not possible, the application can maintain a whitelist of files. These files must contain only characters (a-z) and numbers for file names. Special characters -- for example, the colon and slashes found in a URL, like http:// -- must not be included.
The API should be limited to including files from one allowed directory, and any request containing invalid characters should be rejected.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Judith Myerson
A patch was issued for the Dirty COW vulnerability, but researchers later discovered problems with the patch. Expert Judith Myerson explains what ...continue reading
Getting firewall settings right is one of the most basic ways to protect enterprise data from accidental exposures. Expert Judith Myerson discusses ...continue reading
Expert Judith Myerson explains how IP theft can happen despite the cryptographic protections in IEEE standard P1735, as well as what can be done to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.