Remote File Inclusions Pose Threat to Web Server Security
New research rings the alarm bell on the risks of Remote File Inclusions, which could be a more pervasive threat to Web server security than even SQL injection.A common capability on many Web server and content management platforms is the ability to perform Remote File Inclusions (RFIs), which allow users to simply upload an image or a file. Yet RFIs might well be the most pervasive threat on the Web today, according to new research published by cloud security firm Incapsula. Incapsula examined some 500 million Web sessions to its service over a six-month period and found that 25 percent of them were at risk from an RFI-based attack vector, Marc Gaffan, co-founder of Incapsula, told eWEEK. In contrast, over that same period, only 23 percent of sessions were found to be at risk from SQL injection attacks. In the RFI attack vector, that seemingly innocuous file or image upload in fact includes some form of malicious payload that can potentially enable an attacker to harm a server. "The number of RFI vulnerabilities is significant," Gaffan said. "The potential damage from RFIs is broader than a SQL injection attack, where the attacker is just going after a database." In a SQL injection attack, bad code is "injected" into a database, which can then in some cases enable an attacker to extract data. With RFIs, an attacker could potentially gain control of a Website, Gaffan said.
Moving a step further, Incapula's data found that the RFI attackers were going after issues that vendors have patched. For example, the Incapsula report found that 58 percent of RFI attackers were scanning for sites that were at risk from a TimThumb vulnerability, first patched in August 2011. TimThumb is an image-resizing tool that is often used with the popular open-source WordPress content management system.