What Is Remote File Inclusion?

Article Details
  • Written By: Alex Newth
  • Edited By: Angela B.
  • Last Modified Date: 18 October 2019
  • Copyright Protected:
    Conjecture Corporation
  • Print this Article
Free Widgets for your Site/Blog
People can experience an altered state of consciousness by staring into someone else's eyes for 10 minutes.  more...

November 17 ,  1973 :  US President Richard Nixon insisted he was not a crook.  more...

Remote file inclusion (RFI) is a type of hacker attack that occurs predominantly on websites. This attack happens if the administrator or website builder does not include proper validation and anyone who wants is able to sneak a file into the system. With this attack, the hacker injects a remote file into the server, and the contents of the file wreak havoc on the server according to what the hacker coded. Some remote file inclusion attacks just add a random string of text to the website, while others can cause something more malicious, such as denial of service (DoS), data theft, or further vulnerabilities on the website.

All websites are made up of many files — for images, coding and other features. If the administrator does not include validation rules that check for incoming files, then a remote file inclusion is one of the easiest attacks for a hacker to perform. The hacker just has to manipulate the website address to trick it into including a new file, and the remote file will be uploaded to the server.

The remote file itself is usually a text file that contains some sort of malicious code. In the best scenario, the hacker just uses remote file inclusion to add random text to the website to deface it. This is annoying but not necessarily dangerous. Administrators will find out their system is vulnerable and, in this way, the hacker may be performing a service by alerting administrators to the security hole.


More often, however, a remote file inclusion attack is much worse for the website owner. After the script in the text file executes inside the server, it can cause a DoS attack by constantly pinging the server until the website no longer functions. Any data stored in the database also can be stolen from the website.

Another reason for using remote file inclusion is to make the website weaker to other attacks. When the code executes, it can easily create large holes in an otherwise secure website, which is what a hacker might need to get farther into the website, server or database. This might be difficult for the administrator to fix because, once the code is executed, it can change or manipulate all the other files associated with the website.

To keep from being hacked, administrators usually place validation rules on external files. Better still, external files are not allowed into the system through such loopholes. RFI is an easy hack for both new and advanced hackers but, if the administrator ensures validation of all files, the remote file should not be able to sneak in.


You might also Like


Discuss this Article

Post your comments

Post Anonymously


forgot password?