CAPEC-251 Detail

CAPEC-251

Name

Local Code Inclusion

Typical Severity

Medium

Status

Stable

Published

2014-06-23
00h00 +00:00

Modified

2020-12-17
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.

Informations CAPEC

Prerequisites

The targeted application must have a bug that allows an adversary to control which code file is loaded at some juncture.
Some variants of this attack may require that old versions of some code files be present and in predictable locations.

Resources Required

The adversary needs to have enough access to the target application to control the identity of a locally included file. The attacker may also need to be able to upload arbitrary code files to the target machine, although any location for these files may be acceptable.

Mitigations

Implementation: Avoid passing user input to filesystem or framework API. If necessary to do so, implement a specific, allowlist approach.

Related Weaknesses

CWE-ID	Weakness Name
CWE-829	Inclusion of Functionality from Untrusted Control Sphere The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References

REF-613

OWASP Web Security Testing Guide
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion.html

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2015-11-09 +00:00	Updated References
CAPEC Content Team	The MITRE Corporation	2017-08-04 +00:00	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Resources_Required, Solutions_and_Mitigations
CAPEC Content Team	The MITRE Corporation	2018-07-31 +00:00	Updated References
CAPEC Content Team	The MITRE Corporation	2019-04-04 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Mitigations
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated References