IT Ignoring Remote and Local File-inclusion Attacks

A new Hacker Intelligence Initiative report released by Imperva, a data security solutions provider, takes aim at local and remote file inclusion (RFI/LFI) attacks that allow hackers to run malicious code and steal data not by including them as e-mail attachments but rather by manipulating a company's Web server.

It may be a threat you haven’t paid attention to, but RFI/LFI attacks made up more than one in five (21 percent) application attacks the company says it found when reviewing attacks on 40 applications from June through November of last year.

“RFI and LFI attacks take advantage of vulnerable PHP Web application parameters by including a URL reference to remotely host[ed] arbitrary code, enabling remote execution. PHP is a programming language designed for Web development and whose use is prevalent in applications on the Internet,” the report said.

The company is raising a red flag for IT security professionals. "LFI and RFI are popular attack vectors for hackers because it is less known and extremely powerful when successful," said Tal Be'ery, the company’s senior Web researcher. "We observed that hacktivists and for-profit hackers utilized these techniques extensively in 2011, and we believe it is time for the security community to devote more attention to the issue."

The report discusses real-world attacks, including how 1.2 million WordPress Web sites were compromised using the TimThumb vulnerability. It includes a technical analysis of an RFI-infected file, examining how shell code hides the attack vector and how that makes it possible to avoid traditional detection and mitigation techniques.

The report also discusses an approach “to mitigate against RFI attacks by utilizing a shell hosting feed.”

The full report can be downloaded for free without the need for registration here.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 04/02/2012