Invicti identified a Out of Band Remote File Inclusion vulnerability on the target web application by capturing a DNS A request.

This occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution.

Impact may differ depending on the execution permissions of the web server user. Any included source code could be executed by the web server in the context of the web server user, hence making arbitrary code execution possible. Where the web server user has administrative privileges, full system compromise is also possible.

• Wherever possible, do not allow the appending of file paths as a variable. File paths should be hard-coded or selected from a small pre-defined list.
• Where dynamic path concatenation is a major application requirement, ensure input validation is performed and that you only accept the minimum characters required, for example, "a-Z0-9", and that you filter out and do not allow characters such as ".." or "/" or "%00" (null byte) or any other similar multifunction characters.
• It's important to limit the API to only allow inclusion from a directory or directories below a defined path.