Remote and local file inclusion (RFI/LFI) attacks are a favorite choice for hackers and many security professionals aren’t noticing.
Why is RFI/LFI attractive to hackers? A successful attack allows the execution of arbitrary code on the attacked platform’s web application. With RFI/LFI, a hacker can take over a web server.Surprisingly, however, RFI/LFI has not been taken seriously by the security community. In real-world hacking attacks, RFI/LFI attacks made up 21 percent of all observed application attacks.For hackers, RFI/LFI attacks are very attractive since they target PHP applications. With more than 77 percent of today’s websites running PHP, RFI should be on every security practitioner’s radar but isn’t. Some notorious RFI/LFI examples include:
› Lulzsec, using RFI bots to attack their targets.
› TimThumb, a WordPress add-on, which was vulnerable to LFI and paved the way to 1.2 million infected websites.
In one hacker forum, several discussion shed light on the value of RFI/LFI:
Download PDF: http://www.imperva.com