Remote file inclusion
The term Remote File Inclusion describes a security gap in script- based web applications that enables an attacker to smuggle uncontrolled program code into the web server and execute it there.
The term Remote File Inclusion is commonly used in connection with the PHP scripting language , but it also applies to other scripting languages that offer capabilities similar to PHP.
Explanation regarding PHP
The PHP instructions includeand require(as well as include_onceand require_once) are used to integrate additional PHP script files into the running script. The vulnerability arises when insufficiently checked user input is used as a parameter for this statement. This can lead to unwanted PHP script files being executed. In the worst case, an attacker can even execute program code that is delivered by an external web server.
Since the security gap arises from weak points in the programming, only a change in the script can provide a remedy. PHP itself also offers the configuration option allow_url_fopenwith which the opening of URLs can be prohibited, but this also restricts other functions at the same time. In PHP 5.2 the configuration option has therefore been allow_url_includeadded, with which only the integration and execution of remote resources can be separately forbidden using the PHP statements mentioned.
See also: Directory Traversal