As with many exploits, remote and local file inclusions are only a problem at the end of the encoding. Of course, it takes a second person to have it. Now, this article will hopefully give you an idea of protecting your website and most importantly your code from a file inclusion exploit. I’ll give code examples in PHP format. Let’s look at some of the code that makes RFI / LFI exploits possible. <a href=index.php?page=file1.php> Files </a> <? Php $ page = $ _GET [page]; include ($ page); ?> Now obviously this should not be used. The $ page entry is not fully cleared. $ page input is directed directly to the damn web page, which is a big “NO”. Always remove any input passing through the browser. When the user clicks on “File” to visit “files.php” when he visits the web page, something like this will appear. https: //localhost/index.php?....
hello
This program can help you test this vulnerability: https://github.com/kurobeats/fimap
include () include_once () require () require_once () fopen () imagecreatefromXXX () file () file_get_contents () copy () delete () unlink () upload_tmp_dir () $ _FILES move_uploaded_file ()
Taking these types of configurations into account will increase the security of the server, otherwise the violation of it may compromise not only user information, but the entire server, leading to a breakdown in reputation and loss of trust in the service.