What is remote file inclusion?

A remote file inclusion (RFI) vulnerability allows attackers to insert files from a web server they control into a vulnerable website or application. Read this article to learn why such attacks are possible and how to prevent remote file inclusion vulnerabilities.

What is remote file inclusion?

How does remote file inclusion work?

A remote file inclusion (RFI) occurs when a file from a remote web server is inserted into a web page. This can be done on purpose to display content from a remote web application but it can also happen by accident due to a misconfiguration of the respective programming language. Such vulnerabilities can lead to an RFI attack.

Even though this kind of file inclusion can occur in almost every kind of web application, those written in PHP code are more likely to to be vulnerable to remote file inclusion attacks. This is because PHP provides native functions that allow the inclusion of remote files, while other languages usually require a workaround to imitate this behavior.

In order to include a remote file, you have to add a string with the URL of the file to an include function (in PHP) or its equivalent in another language. Then the web server of the website under attack makes a request to the remote file, fetches its contents, and includes it on the web page serving the content. The file is then processed by the parser of the language.

How can a web application be vulnerable to remote file inclusion?

By default, RFI is often disabled. PHP, for example, introduced a php.ini configuration option to disable RFI in version 5.2.0. There are only a few scenarios where it is actually needed in PHP code. Sometimes, developers enabled it on purpose, and sometimes it is enabled by default on older versions of the server-side programming language.

Usually developers enable such functionality to include local files, but without proper input validation, it is also possible to fetch data from a remote server. Therefore, in most cases when such functionality is enabled, the web application becomes vulnerable to both remote file inclusion and local file inclusion (LFI).

Exploiting a remote file inclusion vulnerability

Consider a developer who wants to include a local file corresponding to the page specified using the GET parameter. They have different PHP files, such as contact.php, main.php, and about.php, all of which provide different functionality to the website. Each file can be called using the following request that is sent to the index.php file:


While the developer expects that only files inside that folder will be included, it might be possible for an attacker to include files from another directory (LFI) or even from a completely different web server (RFI), especially if there is no whitelist of files. In fact, without a whitelist of permitted files, the attacker can change the filepath to the include function (or equivalent in another language). The attacker can include a local file, but in a typical attack, they change the path to a file that resides on a server they control. This allows attackers to write malicious code inside a file without having to poison logs or otherwise inject code into the web server (which would be required for local file inclusion).

An attack might look like this:


What is the impact of an exploited remote file inclusion?

The impact will differ depending on the type of the remote file inclusion attack and the execution permissions of the web server user. Any included source code in malicious files could be executed by the web server with the privileges of the current the web server user, making it possible to execute arbitrary code that could lead to issues such as sensitive information disclosure and code execution at OS level. If the web server user has administrative privileges on the server, the danger goes beyond web application security and can lead to a full system compromise.

How to prevent remote file inclusion vulnerabilities

To prevent exploitation of the RFI vulnerability,  make sure you disable the remote inclusion feature in the configuration of your application environment, especially if you do not need it. In PHP, you can set allow_url_include to '0'. You should also validate user input before passing it to an Include function. Unvalidated user input is the root cause of many vulnerabilities, such as cross-site scripting (XSS), SQL injection, local file inclusion (LFI), and many others. 

If you really have to enable remote file inclusions, then work with a whitelist of files that are allowed to be included on your web application.

Vulnerability classification and severity table

Classification ID / Severity
PCI v3.1 6.5.1
PCI v3.2 6.5.1
OWASP 2013 A1
CWE 98
HIPAA 164.306(a)
Netsparker Critical
Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.