Local File Inclusion
Local File Inclusion (LFI) allows a hacker to execute a file from another part of the site. A hacker may be able to upload a file to your site that includes some PHP code, and then use local file inclusion to trick your site into executing that code.
To simulate this type of attack, create a file in the /tmp folder of your Joomla! site called demo.php, and add the following code:
<?php echo phpinfo(); die;
Now we are going to add some code to our folio.php file under /components/com_folio which will make it vulnerable to local file inclusion. Obviously this code isn't required for our component and is only to demonstrate the vulnerability. You can add this code near the top of the file.
if($controller = JRequest::getVar('controller'))
{
require_once(JPATH_COMPONENT.'/controllers/'.$controller.'.php');
}Now try in your browser the following URL (where joomla3 is your local Joomla! development site).
http://localhost/joomla3/index.php?option=com_folio&controller...
