What is Local File Inclusion (LFI)?

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.

Local File Inclusion is very similar to Remote File Inclusion (RFI). However, an attacker using LFI may only include local files (not remote files like in the case of RFI).

The following is an example of PHP code that is vulnerable to LFI.

/**
* Get the filename from a GET input
* Example - http://example.com/?file=filename.php
*/
$file = $_GET['file'];

/**
* Unsafely include the file
* Example - filename.php
*/
include('directory/' . $file);

In the above example, an attacker could make the following request. It tricks the application into executing a PHP script such as a web shell that the attacker managed to upload to the web server.

http://example.com/?file=../../uploads/evil.php

In this example, the file uploaded by the attacker will be included and executed by the user that runs the web application. That would allow an attacker to run any server-side malicious code that they want.

This is a worst-case scenario. An attacker does not always have the ability to upload a malicious file to the application. Even if they did, there is no guarantee that the application will save the file on the same server where the LFI vulnerability exists. Even then, the attacker would still need to know the disk path to the uploaded file.

Directory Traversal

Even without the ability to upload and execute code, a Local File Inclusion vulnerability can be dangerous. An attacker can still perform a Directory Traversal / Path Traversal attack using an LFI vulnerability as follows.

http://example.com/?file=../../../../etc/passwd

In the above example, an attacker can get the contents of the /etc/passwd file that contains a list of users on the server. Similarly, an attacker may leverage the Directory Traversal vulnerability to access log files (for example, Apache access.log or error.log), source code, and other sensitive information. This information may then be used to advance an attack.

Finding and Preventing Local File Inclusion (LFI) Vulnerabilities

Fortunately, it’s easy to test if your website or web application is vulnerable to LFI and other vulnerabilities by running an automated web scan using the Acunetix vulnerability scanner, which includes a specialized LFI scanner module. Take a demo and find out more about running LFI scans against your website or web application.

Share this post
Ian Muscat

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.
  • Interesting article.

    Is this what’s going on here – in the exceprt below (from my server error.log)? Is it an external attack on the webserver, or is my virtual server compromised and attempting to attack other VPSs on the same machine ?

    [client 39.104.28.175] ModSecurity: Access denied with code 418 (phase 1). Pattern match “wp-config.php” at ARGS_GET:file. [file “/dh/apache2/template/etc/mod_sec2/99_dreamhost_rules.conf”] [line “259”] [id “1990071”] [msg “wp-config.php Local File Inclusion Attempt”] [hostname “xxxxx”] [uri “/wp-content/themes/epic/includes/download.php”] [unique_id “Xxx”]

  • Leave a Reply

    Your email address will not be published.