Local File inclusion (LFI) refers to an inclusion attack. An attacker can trick the online application in including files on the online server. The attacker does this by exploiting functionality that dynamically includes native files or scripts. The consequence of a successful LFI attack. It includes Directory Traversal and information revealing also as Remote Code Execution.
This server allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. This is due to the use of user-supplied input without proper validation.
Mitigation / Precaution
Avoid passing user-submitted input to any file system/framework API
Maintain a white list of files, that include page, and use an identifier to access to the selected file.Invalid identifier has to be rejected
Check your website security today and
identify vulnerabilities before hackers exploit them.