CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Local File Inclusion (LFI)

security CWE-98 OWASP A3:2021 CVSS 7.5 PHP 5.0+ Intermediate

Also Known As

Local File Inclusion path inclusion file include vulnerability

TL;DR

A PHP include/require driven by user input that can load arbitrary local files, sometimes leading to code execution.

Explanation

LFI is a specific form of path traversal where the attacker causes the application to include a local file using PHP's include, require, include_once, or require_once. If the attacker can write a file to the server (e.g. via file upload), they can then include it and achieve remote code execution. Even without write access, LFI can expose /etc/passwd, application config files, and session data.

How It's Exploited

GET /index.php?page=../../../../etc/passwd%00
# %00 null byte terminates the .php extension (older PHP)
# Reads /etc/passwd contents

Common Misconception

LFI only lets attackers read files — it cannot lead to code execution. LFI can achieve RCE via log poisoning (injecting PHP into access logs then including them), PHP session file inclusion, or including uploaded files.

Why It Matters

Local file inclusion can expose source code, configuration files, and private keys — and combined with log poisoning, escalates to remote code execution.

Common Mistakes

  • Using user-supplied language or template parameters directly in include() without a strict whitelist.
  • Path traversal filtering that only strips ../ but misses URL-encoded or double-encoded variants.
  • PHP wrappers like php://filter and php://input being usable even when URL include is disabled.
  • Not using open_basedir to restrict which directories PHP can access at runtime.

Code Examples

✗ Vulnerable 
\$page = \$_GET['page'];
include "pages/\$page.php"; // LFI: ?page=../../../../etc/passwd%00
✓ Fixed 
// Allowlist — only permit known page names
\$allowed = ['home', 'about', 'contact', 'faq'];
\$page    = \$_GET['page'] ?? 'home';

if (!in_array(\$page, \$allowed, true)) {
    \$page = 'home';
}

include "pages/{\$page}.php"; // only pages in the allowlist
Added 15 Mar 2026
Edited 22 Mar 2026
Views 34

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 2 pings S 1 ping S 0 pings M 1 ping T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 2 pings W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 3 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Perplexity 8 Amazonbot 6 Ahrefs 5 Unknown AI 4 Google 2 SEMrush 2 ChatGPT 1 Majestic 1
Also referenced
Path Traversal 26 Arbitrary File Upload 26
How they use it
crawler 25 crawler_json 1 pre-tracking 3
Related categories
security 4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
Never pass user input to include/require; use a whitelist map of allowed template names to file paths
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
include($_GET[ or require($_GET[ or include($_POST[ or include($variable without allowlist
Auto-detectable: ✓ Yes semgrep psalm
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: High Context: Function Tests: Update
CWE-98 CWE-22
✓ schema.org compliant