The user input goes beyond the directory and is able to download other critical files of the system.Īs I said during security assessment of one application, I found one messaging section where you can post your comments and attach any files in support of your message.
But in case of Arbitrary File Download, we are basically abusing the download functionality of a web application, which fails to restrict the user input to a specific directory.
With LFI/ RFI, the resource is loaded and executed in the context of the current application. Now, as we have seen the examples, we can see the major difference here. com/vehicles.php?pref=././././etc/passwd,It will print down the contents of passwd file, which lists system accounts and user attributes. However, if the application fails to sanitize and an attacker provided the following:
So instead of writing the code again and again, we can include the file inside many other files using the include() function.If a file such as color.php is required to be called several times in other files such as, vehicles.php, that could be just included as:Ī legitimate request might look like this. The PHP include function is useful when one file is required several times. LFI, while exploited uses any local file which is available at the same machine where the web application is hosted, RFI, on the other hand includes any remotely hosted malicious file using URLs. Both take advantage of unfiltered input file parameters used by web applications, predominantly PHP. Both are of similar nature, except the mode of exploitation. LFI and RFI stands for Local File Inclusion and Remote File Inclusion vulnerability. However, both are used in combination if directory traversal is turned on in the server. Often confused, LFI/RFI is different from the Arbitrary File Download vulnerability. In this case, as the application server is running as the highest privilege user (root) on the system, we were able to obtain a copy of the shadow file. On a successful exploitation, any file present on the server can be downloaded based on the account privileges in which the server is running. If the user simply supplies’./././etc/passwd’or ‘./././etc/shadow’, they can download the server’s login information from the system, which can eventually be used to retrieve a valid user’s account and finally connecting and owning the server, which I shall show in a real scenario that I came across. If in the code the developers have not properly validated the input from the user before assigning it to the ‘filename’ parameter, the consequences can be disastrous. The above is an example of an ideal situation whichis not always the case. When user clicks on file to download,it appends the ‘filename’ parameter to the directory path ‘/var/If file exists, it’s downloaded to the user’s HD otherwise the user gets message ‘File Not Found’. This method takes user’s input and assigns the value to the ‘filename’ parameter. If the input is not properly sanitized before being used to retrieve files from the file cabinet or retrieve attachments from a received message or memo, it can be exploited to download arbitrary files from the system via directory traversal attacks.ĭownload_file (‘/var/www/store_file/’ + params) Many web applications have file download sections where a user can download one or more files of his choice. Difference between Arbitrary File Download and LFI/ RFIīasic Web related concepts What is arbitrary file download?Īs the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.