Fortinet 31 FortiWeb 5.0 Patch 6 Administration Guide
Remote file
inclusion
(RFI)
RFI is a type of injection attack.
However, unlike SQL injection
attacks, a database is not always
involved. In an RFI, a client
includes a URL to a file on a
remote host, such as source
code or scripts, when submitting
input. This causes vulnerable
web servers to either execute it
or include it in its own web
pages.
• If code is executed, this could
be used for many purposes,
including direct attacks of
other servers, installation of
malware, and data theft.
• If code is included into the
local file system, this could be
used to cause other,
unsuspecting clients who use
those web pages to commit
distributed XSS attacks.
Famously, this was used in
organized attacks by Lulzsec.
Attacks often involve PHP web
applications, but can be written
for others.
Prevent inclusion of
references to fi les on
other web servers.
Generic Attacks
Server
information
leakage
A web server reveals details
(such as its OS, server software
and installed modules) in
responses or error messages. An
attacker can leverage this
fingerprint to craft exploits for a
specific system or configuration.
Configure server
software to minimize
information leakage.
•Information
Disclosure
•To hide
application
structure and
servlet names,
Rewriting &
redirecting
Tabl e 2 : Web-related threats
Attack
Technique
Description Protection FortiWeb Solution