12

I guess the title says it all. There seems to be no obvious difference between directory traversal and file inclusion vulnerabilities.

But I guess there must be some difference, since the www.cvedetails.com use the following categorizations:

 Bypass a restriction or similar 
 Cross Site Scripting 
 Denial of service 
 Directory Traversal 
 Execute arbitrary code on vulnerable system 
 Gain Privileges
 Http Response Splitting 
 Memory Corruption 
 Obtain information 
 Overflow vulnerability (includes stack and heap based overflows and other overflows) 
 Cross site request forgery(CSRF) 
 File Inclusion 
 Sql Injection

Among these we can notice both directory traversal and file inclusion, so they must be different somehow.

alecxe
  • 1,515
  • 5
  • 19
  • 34
eleanor
  • 528
  • 2
  • 5
  • 11

4 Answers4

16

Basically, the difference is that with a file inclusion vulnerability, the resource is loaded and executed in the context of the current application. A directory traversal vulnerability on the other hand, only gives you the ability to read the resource.

Gerry
  • 366
  • 1
  • 4
  • 1
    Thanks for the answer, which is exactly what I need. But then again, I'm still confused: let's look at the following URL: http://www.exploit-db.com/exploits/16250/ . It says there that it's a file inclusion vulnerability, but based on your answer it's a directory traversal, since it only allows us to read the file, not actually execute it. Any ideas why? – eleanor Feb 18 '12 at 11:19
  • 1
    Also remember that other people are having the same questions you have, and there really is no one authority for vulnerability definitions, risk scoring, etc. While that is listed, by the _reporter_, as a LFI, I would still consider it a directory traversal. Compare these results: http://cvedetails.com/vulnerability-list/year-2011/opfileinc-1/file-inclusion.html and http://cvedetails.com/vulnerability-list/year-2011/opdirt-1/directory-traversal.html – Gerry Feb 18 '12 at 15:47
6

Example files:

  • File A is ../../../../configure.php

  • File B is index.php

There is a difference between being able to traverse up directories to access file A ( for example ) to read its contents, and that of being able to include the contents of file A, whether hosted locally or remotely, into the page execution of another file.

If a directory traversal existed to give the attacker access to file A, they should at least not be able to read the content of it. However if File B has this line in it ( or similar ):

if ( isset( $_GET[ 'id' ] ) ) include( $_GET[ 'id' ] . ".php" );

Then it is possible to have the content of file A included in base64 encoding, into file B in what is called a Local File Inclusion attack.

index.php?id=php://filter/read=convert.base64-encode/resource=../../../../config

That is how I understand the difference to be.

Taipo
  • 189
  • 4
1

The main difference between LFI and Directory Traversal is as follows

LFI : IT has ability to execute file. It may be shell code or other local file which exist in the system

Directory Traversal: It only traversal the files, so we can only read it. It can't execute files. This is type of Sensitive Information Disclosure

Kolappan N
  • 2,662
  • 14
  • 26
Praveen
  • 11
  • 1
0

Path Traversal (AKA dot-dot-slash): This attack, also known as the dot-dot-slash attack (../), is usually performed by means of those characters that allow us to move up in the directory tree. By prefacing the sequence with ../ it may be possible to access directories that are hierarchically higher than the one from which we are picking the file.

File Inclusion: the vulnerabilities for this attack are divided into Remote and Local, depending on where the file to include is located. The attack allows you to access files locally/remotely and execute them.

Meshari Mahdi
  • 1