Ensure that standard, unprivileged users on your server cannot read root-level files. The chmod utility should be used to restrict read and write access strictly to the root owner.
The PHP file_get_contents() happily reads /root/.aws/config and returns its content (if the web server runs as root or has read permissions). The attacker sees the AWS credentials in the HTTP response.
If your applications run on Amazon EC2 instances, ensure that you mandate the use of . IMDSv2 utilizes session-oriented requests and enforces a strict hop-limit, preventing SSRF attacks from easily pulling metadata credentials even if a file-read exploit is achieved. fetch-url-file-3A-2F-2F-2Froot-2F.aws-2Fconfig
: Indicates an action or command used by a script or application to retrieve a remote or local resource. 3A : The URL-encoded representation of a colon ( : ). 2F : The URL-encoded representation of a forward slash ( / ).
This specific string, fetch-url-file-3A-2F-2F-2Froot-2F.aws-2Fconfig , is a high-risk security payload typically used to test for vulnerabilities. If a web application is vulnerable, an attacker can use this string to trick the server into reading its own internal configuration files—in this case, the AWS root user's CLI configuration. Ensure that standard, unprivileged users on your server
In LFI attacks, a script includes files based on user input (e.g., ?page=about ). If the script directly concatenates the input to a filesystem path without sanitization, an attacker can use path traversal ( ../../ ) to read arbitrary files. The file:// wrapper in PHP (allow_url_include) or similar functionalities can also be abused. The encoded string would appear in the page parameter:
The goal of this "fetch" is to steal AWS credentials or configuration details by forcing a server to read its own local files and send them to an attacker. 🛡️ Security Guide: Preventing Local File Inclusion The attacker sees the AWS credentials in the HTTP response
A 400 response suggests the application rejected the request, but a 200 with the file contents indicates a successful breach.
Inside /root/.aws/config , you will typically find plaintext settings formatted as follows:
Applications should never run under the root user context. Run your web servers (Nginx, Apache, Node.js) under low-privileged system accounts (e.g., www-data ). Even if an LFI vulnerability exists, a low-privileged user will be blocked by Linux file permissions from reading /root/.aws/config . Adopt IMDSv2 for Cloud Instances