- This attack can be automated quickly using lfi_autopwn.pl.
PHP's include() function does not merely include a library as similar functions do in C and other programming languages. It also executes any PHP code in the included file on the server side. As a result, if arbitrary code selected by the attacker can be included, it is possible to perform remote command execution.
When a programmer allows a file to be selected for inclusion via any HTTP input, this creates a File Inclusion vulnerability. By providing unexpected inputs that cause sensitive or attacker-controlled files to be included, information can be disclosed and execution can be hijacked.
To patch this type of vulnerability, one may employ whitelisting or simply stop allowing user input to specify files for inclusion. There are many prepackaged solutions and techniques to stop file inclusion vulnerabilities, although most of them can be bypassed with enough ingenuity. Where possible, it is better to avoid allowing user input to be directly translated into a file inclusion path.
|This could be classified as a design flaw in PHP for allowing the inclusion of remote files to begin with, or for accepting a variable in its include() function.|