Local File Inclusion attempts on the rise

They’re is no new day without a Joomla Local File Inclusion (LFI) vulnerability. Just take a look at Exploit-DB, Inj3ct0r or Hack0wn and you will find thousands of Joomla components vulnerable to this vulnerability.

Since many years, security researcher have write studies on this vulnerability, and describe the different way to exploit them. You can find some good papers about LFI exploitations on Exploit-DB. But since 2010, LFI are coming back in force.

LFI vulnerability doesn’t look like to be dangerous in a first manner, but maybe we have to make a quick recap on the potential impacts to be vulnerable :

  • Exposure of sensitive informations (clear or hashed password, source code, documents leakage, etc.)
  • Exposure of system informations (system informations, users list, runtime informations, etc.)
  • Security bypass (normally inaccessible informations could be acceded…)
  • System access (malicious users could gain access to the system and compromise him)
  • Be involved in a botnet without knowing it
  • etc.

Why Local File Inclusion (LFI) attemps are on the rise ? The answer is very simple, cause Remote File Inclusion (RFI) are stagnating or even declining. Just do a simple research on Exploit-DB for RFI, you will directly see the difference with the LFI search. RFI vulnerabilities are very simple to exploit unlike LFI vulnerabilities. To argument, I propose you to visit our one year RFI HoneyNet statistics, you will see the increasing activity of RFI botnets. But the number of RFI exploits are decreasing continuously since the hype of 2006 and 2007. Compromised hosts by LFI are integrated into RFI botnets.

Despite LFI exploitation fail in 90% of cases (due to the OS, web server or PHP default hardening), if you scan 1000 hosts you can finally compromise 100 of them. LFI compromised hosts are compensating the decrease of RFI compromised hosts by RFI exploits. In such manner, we can see since 2010 apparition of dedicated Joomla LFI dork lists and mutation of traditional RFI scanners to LFI/RFI scanners (LRFI). The 2010 mutation of all traditional RFI scanner is also now to integrate XML RPC and SQL injection scanners, with nice updated dork lists.

We provide you a list of all unique LFI attempts on our HoneyNet for the latest 24 hours. This list will be updated daily and will permit you to follow the new vulnerable web applications.

So just a final word, take care on your /proc/self/environ, and special dedication to Indonesia 🙂 If you are curious, take a look to the Indonesian scene.