Local File Inclusion
- CAPEC 252
- PCI 3.2-6.5.8
- WASC 33
- OWASP 2013-A4
Local File Inclusion (LFI) is a vulnerability that occurs when an application allows untrusted user input to specify files on the local filesystem to be included or read by the server. Attackers can exploit LFI to read sensitive files, gain insight into server configuration, or escalate to remote code execution through chained attacks (e.g., log poisoning or uploaded files).
Typical vulnerable patterns:
- Dynamically constructing file paths from user input and passing them to include/require functions, e.g.,
include($_GET['page'])in PHP. - Using user-supplied filenames for template rendering, plugin loading, or configuration reading without validation.
- Failure to normalize or canonicalize paths, allowing
../traversal sequences or symbolic link abuse.
Common attack outcomes:
- Disclosure of sensitive files:
/etc/passwd, configuration files, application source code. - Inclusion of logs, session stores, or uploaded files that may contain attacker-controlled content.
- Potential code execution if LFI is chained with other vulnerabilities (e.g., log poisoning with PHP code).
Detection signals:
- Use of request parameters directly in file inclusion APIs.
- Automated scanning can reveal LFI through path traversal payloads (
../../../../etc/passwd). - Abnormal file access patterns in logs or application responses containing system file content.
Remediation
Whitelist Allowed Files
Map user input to a pre-defined set of allowed files. Do not allow direct inclusion of filenames or paths supplied by users.Canonicalize and Normalize Paths
Resolve.and..sequences and symbolic links before validating filenames to prevent directory traversal bypasses.Validate and Restrict Input
Restrict filenames to a safe set of characters (e.g., alphanumeric and limited symbols) and enforce maximum length.Disable Dangerous Features
Avoid dynamic includes of user-supplied paths. If using interpreters like PHP, disableallow_url_includeand other risky features.