Recursive File Include - new face of DoS attacks

22:55 24.04.2008

This is English version of my Recursive File Include article.

From various vulnerabilities of web applications there is a class Denial of Service. And at the sites in Internet we can see DoS vulnerabilities quite often (I wrote about such ones many times at my site). As opposed to DDoS attacks (when resource is overloaded by large amount of requests), DoS attacks represent attacks to vulnerable web applications, which with corresponding conditions can lead to server overload, up to its full denial of service. I.e. web applications with DoS vulnerabilities are attacking.

I’ll tell you about new form of Denial of Service vulnerabilities, which I found 03.10.2007 (I saw such holes earlier, but just at October 2007 I begun to research them in detail). It is Recursive File Include, which I referred to the subclass of the class Denial of Service in vulnerability classification.

Recursive File Include - it’s Local file include vulnerability, which is using for making DoS attack. I.e. it is local inclusion of the files (scripts), which leads to DoS attack due to recursion, when files are infinitely including.

For PHP applications the attack with using of this vulnerability will have the next look:

http://site/page.php?include=page.php

As you can see from example, web application is including itself (if manually set the call of the file with name of main web application). To make recursive inclusion possible it is needed that parameter with name of included file (in this case it’s parameter “include”) automatically pass to all following included web applications. Due to infinitely recursive including this request will lead to server overload.

Examples of DoS vulnerabilities via Recursive File Include (which I found 03.10.2007).

DoS:

1. http://www.paulscomputerservice.net/index.php?body=index.php

This vulnerability doesn’t work already (it worked in October, but two days ago, when I wrote about it and other vulnerabilities at www.paulscomputerservice.net, it was fixed already). But nevertheless it is nice example of such type of vulnerabilities.

2. http://reloader.net.ru/index.php?path=index.php

3. http://www.vc-link.net/index.php?inc=index

Hole at www.vc-link.net I found as far back at 2006, but not attended too much at it. Until in October 2007 I remembered about it, when I was conducting this research.

Recursive File Include can be in PHP (Recursive PHP Include), and in other languages (for example in ASP). But, as showed my researches, recursion automatically works only in PHP applications (full recursive file inclusion). But nevertheless with special way it’s possible to conduct Recursive File Include attacks and in other languages, particularly in ASP. Recursive PHP Include, Recursive ASP Include and other recursive inclusions are variety of Recursive File Include vulnerability.

This vulnerability represent a danger to web sites, so developers of web applications need to not allow such vulnerabilities and more attend to security of their applications.


Leave a Reply

You must be logged in to post a comment.