Skip to content

CVE Writeup Local File Inclusion (LFI) in index.php.md

Latest commit

 

History

History
97 lines (51 loc) · 3.92 KB

CVE Writeup Local File Inclusion (LFI) in index.php.md

File metadata and controls

97 lines (51 loc) · 3.92 KB

🛡️ Security Advisory: Local File Inclusion (LFI) in index.php

Vulnerability Type: Local File Inclusion (CWE-98 / CWE-22)

Severity: High (8.1/10)

Status: Draft / For CVE Registration

Project URL: https://www.sourcecodester.com/php/18708/pizzafy-ecommerce-system.html

Summary

A Local File Inclusion (LFI) vulnerability exists in the Pizzafy application. The page parameter in index.php does not properly validate or sanitize user-supplied input before passing it to a PHP include() function. This allows a remote attacker to traverse directories and potentially include sensitive files on the server or execute arbitrary code if paired with a file upload or log poisoning attack.

Vulnerability Details

  • Vulnerable Endpoint: http://localhost/pizzafy/admin/index.php

  • Vulnerable Parameter: page (GET request)

  • Back-end Technology: PHP 8.2.12 (as seen in previous analysis), Apache 2.4.58

  • Platform: Windows (XAMPP environment)

Technical Evidence

The vulnerability is confirmed by the error messages generated when a directory traversal payload is supplied.

  • Payload Used: ../../../../../../

  • Observation: The application attempts to execute include(../../../../../../.php).

  • Reference: As shown in LFI 2.png, the server returns a PHP Warning: include(): Failed opening '../../../../../../.php' for inclusion. This reveals that the application appends a .php extension to the user input but allows traversal sequences (../) to move outside the intended directory.

  • Path Disclosure: The error message in LFI 2.png also reveals the full internal server path: C:\xampp\htdocs\Pizzafy\admin\index.php.

Impact

  • Information Disclosure: Attackers can read sensitive system files (e.g., C:\Windows\win.ini on Windows or /etc/passwd on Linux) by bypassing the intended directory structure.

  • Source Code Leakage: Attackers can read application source files, potentially revealing database credentials or other hardcoded secrets.

  • Remote Code Execution (RCE): If an attacker can upload a file (e.g., an image with embedded PHP code) or poison log files, they can use this LFI vulnerability to execute that code on the server.

Steps to Reproduce

  1. Navigate to the admin panel: http://localhost/pizzafy/admin/index.php.

  2. Modify the URL by adding the page parameter with a directory traversal sequence:

    http://localhost/pizzafy/admin/index.php?page=../../../../../../windows/win.ini

  3. Observe the server response. If successful, the contents of the requested file will be rendered or a PHP error confirming the attempt will appear (as seen in LFI 2.png).

LFI 2

Remediation

To mitigate this vulnerability, avoid passing user-controllable input directly into file system APIs.

  1. Whitelisting: Maintain a hardcoded list of allowed pages and compare the page parameter against this list.

    PHP

    $allowed_pages = ['home', 'orders', 'menu', 'category_list'];
$page = $_GET['page'];
if (in_array($page, $allowed_pages)) {
    include($page . '.php');
} else {
    include('home.php');
}

  2. Sanitization: Use basename() to strip out directory paths, though whitelisting is significantly more secure.

  3. Disable Remote Inclusion: Ensure allow_url_include is set to Off in php.ini.

References