During our testing, we noted that local files on web server could be accessed via Local File Inclusion (LFI) vulnerability.
Risk Level:
High
Implication:
A potential perpetrator could exploit the weakness in the Web function in order to:
(a) View local files containing sensitive information such as password, database connection string;
(b) View the source codes of the web application; and
(c) Retrieve local file structures.
(a) Validate whether the value supplied as a query parameter matches the expected business logic e.g. the parameter should accept only a filename containing no special characters; and
(b) Restrict access to local files and paths to a certain user
During the verification, we're using Fimap which you can find in the Kali Linux. Let talk a little about Fimap. Fimap is a Python tool that can use to verify local and remote file Inclusion (LFI and RFI) bugs in web applications.
Fimap can be found under Web Applications | Web Vulnerability Scanners | Fimap.
When you open Fimap, a terminal window opens displaying the homescreen. Fimap has a few plugin options, which you can download by using the following command:
fimap --install –plugins
To use Fimap, you need to know your target to scan. For example, we will target www.lifeofpentest.com.
To scan thesecurityblogger.com website, type the following command:
fimap -u 'http://www.lifeofpentest.com'
Fimap will attempt to identify any file inclusion vulnerabilities.