“RFI/LFI attacks enable hackers to execute malicious code and steal data through the manipulation of a company’s web server. RFI was among the four most prevalent Web application attacks used by hackers in 2011,” notes the report. “In fact,” it adds, “RFI/LFI was used most prominently by hacktivists.”
The attack takes advantage of PHP capabilities – specifically the ability to ‘include’ a separate file. “Web applications that are vulnerable to malicious file inclusion typically include accept target as a user controlled parameter and fail to sufficiently validate it. Parameters that are vulnerable to RFI enable an attacker to include code from a remotely hosted file in a script executed on the application’s server.” A successfully exploited RFI vulnerability in the PHP code will allow a hacker to take complete control of the web server – and PHP is used by more than 75% of the internet’s web applications.
Recent hacks include the TimThumb vulnerability that led to the compromise of 1.2 million WordPress websites, and the military dating website that was breached by hacktivist group Lulzsec.
Imperva suggests a number of ways to mitigate against RFI/LFI attacks. These include finding your own vulnerabilities using the same methods as the hackers: dorking (otherwise known as ‘Google hacking’, which uses the search engines to find hints of possible vulnerabilities); and the use of both commercial and free vulnerability scanners. Also useful would be a web application firewall (WAF) and blacklisting known attacks IPs. The report also notes that the application code can be written to exclude RFI attacks, so detailed code review is advisable.
“However, ensuring that each and every piece of database access code is immune to RFI attack in normal-size applications that also include third party components is difficult. One must therefore assume that deployed web applications probably do include RFI vulnerabilities upon deployment and complement code review with a WAF,” it concluded.