Vulnerability type: a file that contains
Belongs the establishment of the station program: other
Belongs to the server type: General
Belongs to the programming language: other
Description: The target Unix system, the application may exist in the file containing the vulnerability.
The file include vulnerability allows by special instructions of the script source file of the content merged to the current file in execution.
Many scripting languages allowed by special instructions, such as PHP via the require keyword will be other scripts source the file content merged to the current file in the implementation, if these special instructions contain the path to the file containing the user submitted data, then a malicious attacker it is possible by the special structure of the datathe WEB serverrestrict access to the contents of the file, such asoperating system, or some important application configuration files included in and obtained through the browser its content, this approach is usually referred to as the local file contains; if the application's configuration also allows the inclusion of the remote and other files on the server, a malicious attacker could construct a special script and then by the inclusion of and implementation, and then get the WEB application's sensitive data or control.
A malicious attacker can pass the file containing the vulnerability to obtain sensitive the content of the file or directly perform its designated malicious script, and then get the WEB application itself.
2, If must be input by the user specified included files, it is best to analyze the user's input, then from the file whitelist to explicitly choose;
3, The user input is strict the filter, make sure it contains a file in a predetermined directory or can't include the URL parameter