Local File Inclusion
Invicti identified a Possible Local File Inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.
However, this issue could not be confirmed by Invicti. Invicti believes that this was not a local file inclusion, but there were some indications of a possible local file inclusion. There can be numerous reasons for Invicti not being able to confirm it.
We strongly recommend you investigate the issue manually. You can also consider sending us the details of this issue so we can address it for the next time and give you more precise results.
- Gather usernames via
/etc/passwd
file - Harvest useful information from the log files, such as
"/apache/logs/error.log"
or"/apache/logs/access.log"
- Remotely execute commands via combining this vulnerability with some of other attack vectors, such as file upload vulnerability or log injection
- If possible, do not permit file paths to be appended directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
- If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
- It's important to limit the API to allow inclusion only from a directory and directories below it. This ensures that any potential attack cannot perform a directory traversal attack.