Guide to remote file inclusion
A number of web pages use include functions to combine the contents of other files into a single page. Unfortunately, if these includes are not securely implemented they can be used to include files which have not been approved by the administrator, these files can sometimes be located on remote servers, which leads us to the vulnerability name Remote File Inclusion. With the improved awareness of vulnerabilities like this, the folks behind PHP have taken precautions to help prevent remote file inclusion from occurring however if misconfigurations have occurred the vulnerability can still exist.
You should be able to see a sample URL below, this URL is fairly standard with the exception that the filename parameter is a remote URL, this implies that when the URL is loaded the remote file may be included as part of the requested page.
So what's so bad about including remote files? After all, plenty of websites make use of iframes. Well, remote files aren't simply included, the file is retrieved from the remote server, included and executed. This is why remote file inclusion is so dangerous, the files themselves are treated as though they are a part of the local website and so can have full access to the server.
Preventing remote file inclusion
This kind of vulnerability can only occur if the server has allow_url_include enabled within the php.ini file, to disable this feature you simply have to search for the file and set the line allow_url_include equal to Off. It should appear like the example below.
; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
If you're insistent on the need for including executable remote files then the best most secure course of action would be to create a whitelist of safe domains/filenames, should someone alter the domain to an unauthorised option then the code would perform some alternate option rather than including and running the file.
Notice something not quite right? That's fine we're not perfect. Why not make a suggestion on our community forum, you should be able to see the correct formatting below.
Still need help?
Are you having trouble using arctil? Why not try reaching out to our Community Forum.
Alternatively, you can try contacting us through the Contact page.