Using remote file inclusion (RFI), an attacker can cause the web application to include a remote file. This is possible for web applications that dynamically include external files or scripts. Potential web security consequences of a successful RFI attack range from sensitive information disclosure and Cross-site Scripting (XSS) to remote code execution and, as a final result, full system compromise.

Remote file inclusion attacks usually occur when an application receives a path to a file as input for a web page and does not properly sanitize it. This allows an external URL to be supplied to the include function.

The following is an example of PHP code with a remote file inclusion vulnerability. A file with source code may be included, resulting in arbitrary code execution.

* Get the filename from a GET input
* Example -
$file = $_GET['file'];

* Unsafely include the file
* Example - index.php

Using the above PHP script, an attacker could make the following HTTP request to trick the application into executing server-side malicious code, for example, a backdoor or a webshell.

In this example, the malicious file is included and runs with the execution permissions of the server user who runs the web application. That allows an attacker to run any code they want on the web server. They can even gain a persistent presence on the web server.

Finding and Preventing RFI Vulnerabilities

Fortunately, it’s easy to test if your website or web application is vulnerable to RFI and other vulnerabilities such as SQL Injection, directory traversal, and more, by running an automated web scan using the Acunetix vulnerability scanner. Take a demo and find out more about running scans against your website or web application to maintain cybersecurity.

If you find RFI vulnerabilities, the best way to eliminate them is to never include files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included. Input validation is a much less effective method in this case because attackers can go around it using clever tricks.

Additionally, in the case of PHP applications, most current installations are configured with allow_url_include set to off in php.ini. This makes it impossible for malicious users to include remote files. However, Local File Inclusion (LFI) is still possible in such a case.

Ian Muscat

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.