What is it
This vulnerability allows any file to be included without verifying thereby allowing arbitrary file uploads and possible system compromise. As the system does not check the origin and other crucial parameters like type of the file, it can be uploaded leading to a compromise.
How serious is it
Remote file inclusion vulnerabilities are very serious because it potentially means any file can be included and executed under the current security context which could lead to a possible system compromise and / or data leak. This vulnerability can also be used as a base for other vulnerabilities like XSS.
The impact of remote file inclusion may result in
- Code execution on the server / client
- Getting a web shell on the server and enabling complete control
- Denial of Service (DoS)
- Gaining access to the data contained in your system (loss of Confidentiality)
- Possible loss of data (loss of Availability);
The amount of data an attacker can retrieve depends on multiple factors like his creative skills, system design and implementation.
How to prevent
Sanitize user input. Do not trust user input. Always verify it for malicious inputs. Use either blacklist or better use whitelists.
Implement a WAF (Web Application Firewall)
Implementing a WAF will help stop remote file inclusions from known blacklisted URLs.
Implement Secure Software Development Lifecycle (SSDLC)
Secure Coding guidelines although critical form ONLY a piece of the puzzle. In order to ensure that applications are secure, security need to be bolted right from the requirements stage and should extrapolate across every other stage be it Design, Coding, Review, Testing, Release or implementation.