PHP - Preventing Local File Inclusion (LFI) in PHP

Local File Inclusion (LFI) is a serious security vulnerability in web applications where an attacker is able to include and execute files from the server through improperly validated input. It typically occurs when a PHP application dynamically loads files based on user input without sufficient validation or sanitization.

Understanding Local File Inclusion

In PHP, developers often use functions like include, require, include_once, or require_once to load files dynamically. For example:

$page = $_GET['page'];
include("pages/" . $page . ".php");

In this case, the application expects a valid page name such as home or about. However, if input is not validated, an attacker can manipulate the value of the page parameter to include unintended files.

For instance, an attacker might try:

?page=../../../../etc/passwd

This attempts to access sensitive system files outside the intended directory. If successful, it can expose confidential data or even lead to remote code execution under certain conditions.

How LFI Attacks Work

LFI attacks exploit directory traversal techniques. Attackers use sequences like ../ to move up the directory structure and access files that should not be exposed. They may target:

  • System files such as /etc/passwd

  • Configuration files containing credentials

  • Log files that can be manipulated to execute code

  • Session files stored on the server

In advanced cases, attackers combine LFI with other vulnerabilities, such as file upload or log poisoning, to execute malicious code.

Common Causes of LFI

The main causes of LFI vulnerabilities include:

  • Direct use of user input in file inclusion functions

  • Lack of input validation or filtering

  • Improper handling of file paths

  • Over-reliance on dynamic file loading

These issues arise when developers assume user input is safe without enforcing strict controls.

Techniques to Prevent LFI

Preventing LFI requires a combination of secure coding practices and proper configuration.

1. Whitelisting Allowed Files

Instead of accepting arbitrary input, define a list of allowed files:

$allowed_pages = ['home', 'about', 'contact'];

$page = $_GET['page'];

if (in_array($page, $allowed_pages)) {
    include("pages/" . $page . ".php");
} else {
    echo "Invalid page";
}

This ensures only predefined files can be included.

2. Avoid Direct User Input in File Paths

Never directly concatenate user input into file paths. Use controlled mappings:

$pages = [
    'home' => 'pages/home.php',
    'about' => 'pages/about.php'
];

include($pages[$_GET['page']] ?? 'pages/home.php');

3. Use basename Function

The basename function removes directory traversal attempts:

$page = basename($_GET['page']);
include("pages/" . $page . ".php");

This prevents attackers from navigating outside the intended directory.

4. Restrict File Access with open_basedir

PHP configuration can limit accessible directories:

open_basedir = /var/www/html/

This ensures PHP cannot access files outside the specified directory.

5. Disable Dangerous Wrappers

Attackers may use PHP stream wrappers like php:// or file://. Disable unnecessary wrappers in the configuration to reduce risk.

6. Validate and Sanitize Input

Always validate user input using strict rules. Accept only expected formats and reject anything suspicious.

7. Proper File Permissions

Ensure sensitive files are not readable by the web server unless necessary. Limit access to configuration and system files.

8. Use Absolute Paths

Using absolute paths instead of relative paths reduces ambiguity and limits traversal risks.

include("/var/www/html/pages/home.php");

9. Keep Software Updated

Use updated versions of PHP and server software to ensure known vulnerabilities are patched.

Real-World Impact

If exploited, LFI can lead to:

  • Exposure of sensitive data

  • Unauthorized access to system files

  • Execution of malicious scripts

  • Full server compromise in severe cases

It is often a stepping stone to more critical attacks.

Best Practices Summary

To effectively prevent LFI:

  • Never trust user input

  • Use strict whitelisting

  • Avoid dynamic file inclusion where possible

  • Restrict file system access

  • Regularly audit and test code for vulnerabilities

Conclusion

Local File Inclusion is a dangerous but preventable vulnerability. By applying proper validation, restricting file access, and following secure coding practices, developers can significantly reduce the risk. A proactive approach to security ensures that applications remain robust and protected against such attacks.