Research report on

File Path Traversal/File Inclusion Vulnerabilities (LFI/RFI)

File Upload Vulnerabilities
What is File Path Traversal?

A path traversal or directory traversal attack aims at accessing and reading files
stored outside the tree structure exposed directly by the web service.
It consists of modifying a request’s parameters to navigate the tree structure.
The goal of the attacker is to browse the directories to reach sensitive files to
which access is normally not allowed (configuration files, source code…)
In some situations, the attacker may even have access to unauthorized
functionality, such as writing files on the server. This can lead them to take
control of the server and the vulnerability becomes then an RCE.
This attack is also known as “dot-dot-slash”, “directory traversal”, “directory
climbing” and “backtracking”.

How does the path traversal vulnerability occur?

Most web applications use locally stored resources (images, scripts, text files…)
to perform their tasks. Sometimes, these resources are embedded in other pages
via parameters that a user can manipulate.
The path traversal flaw occurs when the user parameters aren’t sanitised and/or
there is a lack of access control to the resources.
It’s then possible for an attacker to modify the parameters of the request to ask
to return other resources.

What are File Inclusion Vulnerabilities?

File Inclusion vulnerabilities often affect web applications that rely on a

scripting run time, and occur when a web application allows users to submit
input into files or upload files to the server. They are often found in poorly-
written applications.
File Inclusion vulnerabilities allow an attacker to read and sometimes execute
files on the victim server or, as is the case with Remote File Inclusion, to
execute code hosted on the attacker’s machine.

An attacker may use remote code execution to create a web shell on the server,
and use that web shell for website defacement.

Types of file inclusion vulnerabilities

File inclusion vulnerabilities come in two types, depending on the origin of the
included file:
– Local File Inclusion (LFI)
– Remote File Inclusion (RFI)

Local File Inclusion (LFI)

A Local File Inclusion attack is used to trick the application into exposing or
running files on the server. They allow attackers to execute arbitrary commands
or, if the server is misconfigured and running with high privileges, to gain
access to sensitive data.

These attacks typically occur when an application uses the path to a file as
input. If the application treats that input as trusted, an attacker can use the local
file in an include statement.

While Local File Inclusion and Remote File Inclusion are very similar, an
attacker using LFI may include only local files.

Remote File Inclusion (RFI)

An attacker who uses Remote File Inclusion targets web applications that
dynamically reference external scripts. The goal of the attacker is to exploit the
referencing function in the target application and to upload malware from a
remote URL, located on a different domain.
The results of a successful RFI attack can be information theft, a compromised
server and a site takeover, resulting in content modification.

Differences

Directory traversal and local file inclusion bugs are frequently seen in web
applications. Directory traversal is when a server allows an attacker to read a
file or directories outside of the normal web server directory.

Local file inclusion allows an attacker the ability to include an arbitrary local
file (from the web server) in the web server’s response. Both of these bugs can
be used to read arbitrary files from the server.

In most cases, this means that an attacker can read the /etc/passwd file and the
shell history files in order to find information leaks. However, an attacker can
also use this to read the proc file system. This can provide some interesting
insights into what’s running on the server.

Each process also has its own set of attributes. If you have the PID number and
access to that process, then you can obtain some useful information about it,
such as its environmental variables and any command line options that were
run. Sometimes these include passwords.

Linux also has a special proc directory called self which can be used to query
information about the current process without having to know it’s PID

Impact of File Path Traversal Vulnerability

The impact of this flaw is generally critical. Indeed, depending on the context,
the attacker might be able:

• to read files, potentially:

o Configuration files where there are usually secrets (credentials,
keys…) which then allow to exploit new vulnerabilities,
o Sensitive operating system files,
• to read the source code,
• to analyse the organisation of the server,
• sometimes to write on the server, which can lead to:
o a modification of the application’s behaviour,
o even, to take control of the server.
Impact of File Inclusion Vulnerability

The impact of file inclusion vulnerabilities may vary. These may include:
• Information disclosure
• Remote code execution
• Cross-site scripting
• Denial of Service
• System compromise, etc

What is File Upload Vulnerability?

In almost every web application there is functionality for uploading files. This
file may be in form of text, video, image, etc. However, many web applications
do not have proper security check during uploading files and this results in a
vulnerability called File Upload Vulnerability. This one simple vulnerability
leads to server-side scripting, arbitrary code execution, cross-site scripting, and
CSRF attacks.
The impact of file upload vulnerabilities
As with many other vulnerability classes, there is no single answer to what file
upload vulnerabilities can do to a target system.

It heavily depends on the web application code written by developers, on the

web server configuration, as well on the operating system running the web
server.

▪ Remote Code Execution: The most harmful outcome. If the web server
configuration allows, an attacker can try to e.g. upload a web shell which
enables him to pass on terminal commands to the server running the
application. These commands can then be easily sent to the server via the
browser.

▪ Denial of Service: If the application code is not validating file size or the
number of files uploaded, an attacker could try to fill up the server’s
storage capacity until a point is reached, where the application cannot be
used anymore.

▪ Web Defacement: If the web root is not configured properly (allowing an

attacker to overwrite existing files), an attacker could substitute existing
web pages with his own content (potentially showing imagery which is
conflicting to the original purpose of the application)

▪ Phishing Page: Similar to the example before, an attacker could also go

ahead only slightly manipulate an existing page in order to e.g. extract
sensitive data, sending it to a destination controlled by himself.

File upload vulnerabilities often go hand-in-hand with directory traversal

vulnerabilities.
How to protect yourself from path traversal?

To avoid these flaws, several measures should be implemented:

• Do not use user input directly to call a file.
• User data shouldn’t be interpreted. It should be encoded, escaped and
cleaned.
• It should be validated against a list of allowed expressions. If this isn’t
possible, then the validation must confirm that there are only allowed
contents (e.g. only alphanumeric characters).

How to prevent File Inclusion vulnerabilities?

To eliminate or minimize the risk of file inclusion vulnerabilities, it is

recommended to follow the below steps:

• Proper input validation and sanitization

• Regularly scan applications for potential vulnerabilities.
• Blacklist approach: identifying and blocking publicly known attackers
and malicious URLs, as well as those that have already tried to infiltrate
your site or server.
• Whitelist approach: Creating a source of valid and acceptable file types
and text
• Enable code reviewing for identifying vulnerabilities in the code

How to Avoid File Upload Vulnerability:

• Always check the extension of files with their case sensitivity.
• Filter the content of the file before uploading it to the server.
• Don’t give the executable permission to upload the file.
• Always store the uploaded file in the non-public directory.
 References

https://blog.intigriti.com/
https://www.vaadata.com/
https://brightsec.com/
https://beaglesecurity.com/