Over a million developers have joined DZone.

What Is Remote File Inclusion (RFI)?

DZone's Guide to

What Is Remote File Inclusion (RFI)?

Read on to learn what exactly Remote File Inclusion means and how to prevent it, as well as to see an example of code that is vulnerable to RFI attacks.

· Security Zone
Free Resource

Discover how to protect your applications from known and unknown vulnerabilities.

Remote File Inclusion (RFI) refers to an inclusion attack wherein an attacker can cause the web application to include a remote file by exploiting a web application that dynamically includes external files or scripts. The consequences of a successful RFI attack include Information Disclosure and Cross-site Scripting (XSS) to Remote Code Execution.

Remote File Inclusion (RFI) usually occurs, when an application receives the path to the file that has to be included as an input without properly sanitizing it. This would allow an external URL to be supplied to the included statement.

The following is an example in PHP that is vulnerable to Remote File Inclusion (RFI).

* Get the filename from a GET input
* Example - http://example.com/?file=filename.php
$file = $_GET['file'];

* Unsafely include the file
* Example - filename.php

In the above example, an attacker could make the following request to trick the application into executing a malicious script such as a webshell.


In this example, the remote file will be included and run with the user privileges the web application is running. That would allow an attacker to run any code they wanted on the web server, including writing files to gain persistence on the web server.

Preventing Remote File Inclusion (RFI) Vulnerabilities

The best way to eliminate Remote File Inclusion (RFI) vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included in order to limit the attacker’s control over what gets included.

Additionally, in the case of PHP, most modern PHP configurations are configured with allow_url_include set to off, which would not allow malicious users to include remote files. This being said, Local File Inclusion (LFI) would still be possible.

Find out how Waratek’s award-winning virtualization platform can improve your web application security, development and operations without false positives, code changes or slowing your application.

security ,remote file inclusion ,vulnerabilites ,attacks

Published at DZone with permission of Ian Muscat, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.


Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.


{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}