A remote file inclusion occurs when a file from a remote server is inserted into a web page. This can be done on purpose to display content on a website from a remote website. But, it can also happen by accident, due to a misconfiguration of the respective programming language or during an attack.
Even though this kind of inclusion can occur in almost every kind of web application, those written in PHP are more likely to to be vulnerable to Remote File Inclusion attacks, because PHP provides native functions that allow the inclusion of remote files. Other languages usually require a workaround to imitate this behavior.
How Does Remote File Inclusion work?
In order to include a remote file, you have to add a string with the URL of the file to an Include function of the respective language (for example, PHP). Then the web server of the website under attack makes a request to the remote file, fetches its contents, and includes it on the web page serving the content. It is then processed by the parser of the language.
How Can a Web Application Be Vulnerable to a Remote File Inclusion?
By default, RFI is often disabled. PHP, for example, introduced the php.ini configuration option in 5.2.0 to disable RFI. There are only a few scenarios where it is actually needed. Sometimes developers enabled it on purpose, and sometimes it is enabled by default on older versions of the server-side programming language.
Usually, developers enable such functionality to allow them to include a local file, but without proper input validation, it is also possible to fetch data from a remote server. Therefore, in most cases, when such functionality is enabled, the web application becomes vulnerable to both Remote File Inclusion and Local File Inclusion (LFI).
Exploiting a Remote File Inclusion Vulnerability
Consider a developer who wants to include a local file depending on the GET parameter page. They have different files such as contact.php, main.php, and about.php, all of which provide different functionality to the website.
Each file can be called using the following request:
While the developer expects that only files inside that folder are included, it might be possible for an attacker to include files from another directory (LFI) or even from a completely different web server (RFI). In fact, without a whitelist (of permitted files), the attacker is able to change the filepath to the programming language’s Include function. The attacker can include a local file, but in a typical attack, they change the path to a file that resides on a server they control. That way, the attacker can easily write malicious code inside a file, without having to poison logs or otherwise inject code inside the web server (which is what is required in the case of an LFI).
An attack might look like this:
What Is the Impact of an Exploited Remote File Inclusion?
The impact may differ depending on the execution permissions of the web server user. Any included source code could be executed by the web server with the privileges of the current web server user, making it possible to execute arbitrary code. Where the web server user has administrative privileges, full system compromise is also possible.
How to Prevent Remote File Inclusion Vulnerabilities
To prevent exploitation of the RFI vulnerability, ensure that you disable the remote inclusion feature in your programming languages’ configuration, especially if you do not need it. In PHP, you can set allow_url_include to ‘ 0.’ You should also validate user input before passing it to an Include function. The recommended way to do this is with a whitelist of permitted files.