Understanding File Inclusion Flaws

Directory Traversal and Local File Inclusion (LFI) vulnerabilities allow attackers to read or execute files on the server by manipulating file paths. This occurs when an application accepts user input (such as a language or theme parameter) and passes it directly to file system operations (like PHP's include, require, or file_get_contents) without proper sanitization. Attackers can use path traversal sequences like ../../ to navigate out of the web root folder.

LFI Risks within WordPress Custom Code

In WordPress, these issues usually pop up in custom page templates or multi-language plugins. For example, if a script includes a file using include( $_GET['page'] . '.php' );, an attacker can pass page=../../../../wp-config to read the site's configuration file. Since wp-config.php contains database credentials and secret security keys, exposing it means a total compromise of the entire WordPress network and database.

Preventing Directory Traversal

Eliminating directory traversal requires strictly controlling file paths and avoiding dynamic file inclusion whenever possible:

  • Sanitize File Paths: Use basename() to strip out all path information, leaving only the filename itself. WordPress also provides validate_file(), which checks if a file path contains dangerous characters like ../.

  • Use Whitelists for Inclusions: Instead of letting users specify a filename, use a static whitelist array. Match the user input against allowed keys and include only pre-approved paths.

  • Disable Sensitive Functions: If your site does not require dynamic file inclusion from user input, ensure functions like allow_url_include are turned off in your main php.ini file.