Using remote file inclusion (RFI), an attacker can cause the web application to include a remote file. This is possible for web applications that dynamically include external files or scripts. Potential web security consequences of a successful RFI attack range from sensitive information disclosure and Cross-site Scripting (XSS) to remote code execution and, as a final result, full system compromise.

Remote file inclusion attacks usually occur when an application receives a path to a file as input for a web page and does not properly sanitize it. This allows an external URL to be supplied to the include function.

The following is an example of PHP code with a remote file inclusion vulnerability. A file with source code may be included, resulting in arbitrary code execution.

* Get the filename from a GET input
* Example -
$file = $_GET['file'];

* Unsafely include the file
* Example - index.php

Using the above PHP script, an attacker could make the following HTTP request to trick the application into executing server-side malicious code, for example, a backdoor or a webshell.

In this example, the malicious file is included and runs with the execution permissions of the server user who runs the web application. That allows an attacker to run any code they want on the web server. They can even gain a persistent presence on the web server.

Finding and Preventing RFI Vulnerabilities

Fortunately, it’s easy to test if your website or web application is vulnerable to RFI and other vulnerabilities such as SQL Injection, directory traversal, and more, by running an automated web scan using the Acunetix vulnerability scanner. Take a demo and find out more about running scans against your website or web application to maintain cybersecurity.

If you find RFI vulnerabilities, the best way to eliminate them is to never include files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included. Input validation is a much less effective method in this case because attackers can go around it using clever tricks.

Additionally, in the case of PHP applications, most current installations are configured with allow_url_include set to off in php.ini. This makes it impossible for malicious users to include remote files. However, Local File Inclusion (LFI) is still possible in such a case.

Frequently asked questions

Remote file inclusion (RFI) is a serious web vulnerability. If an RFI vulnerability exists in a website or web application, an attacker can include malicious external files that are later run by this website or web application.

Also read about a related vulnerability – local file inclusion (LFI).

RFI can be very dangerous. Potential consequences range from sensitive information disclosure and cross-site scripting (XSS) to remote code execution (code injection) and, as a final result, full system compromise.

Read more about remote code execution attacks that may be the result of RFI vulnerabilities.

The most efficient way to detect RFI is by using an automated vulnerability scanner such as Acunetix. You can of course detect such vulnerabilities through manual penetration testing but it takes a lot more time and resources.

Learn how vulnerability scanning and penetration testing should be used together.

To avoid RFI and many other vulnerabilities, never trust user input. If you need to include files in your website or web application code, use a whitelist of allowed file names and locations.

Read about best practices for secure coding.

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.