PCI v3.2-6.5.8
CAPEC-252
CWE-22
HIPAA-164.306(a)
ISO27001-A.14.2.5
WASC-33
OWASP 2013-A4
OWASP 2017-A5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Local File Inclusion (IAST)

Severity:
High
Summary

Invicti identified a Local File Inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page.

Invicti confirmed this issue by reading some files from the target web server.

Impact

The impact can vary, based on the exploitation and the read permission of the web server user. Depending on these factors, an attacker might carry out one or more of the following attacks:

  • Gather usernames via an "/etc/passwd" file
  • Harvest useful information from the log files, such as "/apache/logs/error.log" or "/apache/logs/access.log"
  • Remotely execute commands by combining this vulnerability with some other attack vectors, such as file upload vulnerability or log injection
Remediation
  • If possible, do not permit appending file paths directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
  • If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
  • It is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure any potential attack cannot perform a directory traversal attack.
Required Skills for Successful Exploitation
Actions To Take
Vulnerability Index

You can search and find all vulnerabilities

Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Featured resources

Blog

Strengthening enterprise application security: Invicti acquires Kondukto

Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Blog

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Blog

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Blog

What lies ahead for CMS.

Blog

How to integrate CMS with other tools.

Blog

Improve user experience through CMS.

Blog

How CMS can benefit e-commerce.

Blog

Stay updated on CMS trends.

Blog

Tips for improving CMS performance.

Blog

Learn how to secure your CMS.

Blog

Explore the advantages of CMS.

Blog

A comprehensive guide to CMS.

Build your resistance to threats. And save hundreds of hours each month.