IBM X-Force Threat Research discovered a botnet-based local file inclusion attack targeting over 100 of its customers....
What is a local file inclusion attack and how can this one be stopped?
The PHP coding language is vulnerable to a local file inclusion attack due to its frequent reliance on files stored on the server -- local files -- that include commands for taking in user input.
This vulnerability involves the local files on the Unix web server and occurs when an attacker injects malicious commands into a file. The target site executes whatever input is provided; the input can be either a file name or a URL address. Consider the file parameter in this example, which points to a file with malicious code, stored externally:
The parameter is taken into the following PHP code and the malicious file is included:
. . .
. . .
The attacker adds malicious input into the shell.php that retrieves unauthorized files in the same or a different directory.
More aggressive than this local file inclusion attack is the bot-based attack reported by IBM X-Force Threat Research. The attacker performs command injection to trap a Wget request that attempts to write a suspicious PHP file, shell.php, on the victim's machine.
The attacker uses the /proc/self/environ file, which usually contains environment variables, and which should be accessible only to root users, as the included file. A PHP script returning the word carbon in the MD5 form notifies the attacker that the exploitation of the vulnerability was successful.
The most effective solution for removing file inclusion vulnerabilities is to prevent users from passing input into the file systems and framework API. If this is not possible, the application can maintain a whitelist of files. These files must contain only characters (a-z) and numbers for file names. Special characters -- for example, the colon and slashes found in a URL, like http:// -- must not be included.
The API should be limited to including files from one allowed directory, and any request containing invalid characters should be rejected.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Judith Myerson
GE reported an improper authentication flaw in its PulseNet network management software for critical infrastructures. Discover how this flaw works ... Continue Reading
Researchers claim to have found a new attack against VMs that affects SEV technology. Expert Judith Myerson explains what this attack is and how it ... Continue Reading
The Wi-Fi Alliance released the updated WPA3 protocol, adding security enhancements to the Wi-Fi access process. Learn why enterprises should update ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.