- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Remote file inclusion (RFI) is an attack technique used to exploit "dynamic file include" mechanisms in web applications. This vulnerability is mainly due to inadequate input validation, which allows the user’s input to be passed to the “file include” commands without proper validation.
When web applications take user input (URL, parameter value, etc.) and pass them into “file include” commands, the web application can be tricked into including remote files with malicious code, which can then run on either the server or clients.
Remote file inclusion is mainly used for packaging common code into separate files that are later referenced by main application modules. When a web application references an include file, the code in this file may be executed implicitly or explicitly by calling specific procedures. If the choice of module to load is based on elements from the HTTP request, the web application can be vulnerable to remote file inclusionattacks.
Consider an unsanitized parameter:
$incfile = $_REQUEST["file"];
Now what you can do is to include a file that is not hosted on the victim-server, but instead on the attackers server.
So when the victim-server includes this file it will automatically execute the commands that are in the evil.txt file.
The impact may vary depending on the execution permissions of the web server user. Any included source code could be executed by the web server with the privileges of the current web server user, making it possible to execute arbitrary code.