Filter
Top Products
Fortinet 30 FortiWeb 5.0 Patch 6 Administration Guide
Local file
inclusion
(LFI)
LFI is a type of injection attack.
However, unlike SQL injection
attacks, a database is not always
involved. In an LFI, a client
includes directory traversal
commands (such as ../../for
web servers on Linux, Apple Mac
OS X, or Unix distributions) when
submitting input. This causes
vulnerable web servers to use
one of the computer’s own files
(or a file previously installed via
another attack mechanism) to
either execute it or be included in
its own web pages.
This could be used for many
p
urpos
es, including direct
attacks of other servers,
installation of malware, and data
theft of /etc/passwd, display of
database query caches, creation
of administrator accounts, and
use of any other files on the
server’s file system.
Many platforms have been
v
ulner
able to these types of
attacks, including Microsoft .NET
and Joomla.
Block directory traversal
commands.
Generic Attacks
Malicious
ro
bo
ts
Misbehaving web crawlers ignore
the robots.txt file, and
consume server resources and
bandwidth on a site.
Ban bad robots by
sour
ce IP or
User-Agent: field, as
well as rate limiting
clients that fail a test that
detects web browsers
Real Browser
Enforcement
Exception
Table 2: Web-related threats
Attack
Technique
Description Protection FortiWeb Solution