Local File Inclusion (LFI)

Scripts that takes filenames as parameters without sanitizing the user input is typically good candidates for LFI vulnerabilities. For example, a PHP script : foo.php?file=image2.jpg An attacker would replace image2.jpg with a directory traversel payload: foo.php?file=../../../../../../../etc/passwd Or other sensitive files