Invicti identified a Out of Band Remote File Inclusion vulnerability on the target web application by capturing a DNS A request.
This occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution.
- Wherever possible, do not allow the appending of file paths as a variable. File paths should be hard-coded or selected from a small pre-defined list.
- Where dynamic path concatenation is a major application requirement, ensure input validation is performed and that you only accept the minimum characters required, for example, "a-Z0-9", and that you filter out and do not allow characters such as ".." or "/" or "%00" (null byte) or any other similar multifunction characters.
- It's important to limit the API to only allow inclusion from a directory or directories below a defined path.