File Inclusion (LFI/RFI) — Executing or Exposing Files via Improper Input Handling
File Inclusion vulnerabilities, including Local File Inclusion (LFI) and Remote File Inclusion (RFI), allow attackers to include unintended files in application execution flow. This SECMONS glossary entry explains how file inclusion works, how it differs from path traversal, and how defenders should mitigate it.
What Is File Inclusion? 🧠
File Inclusion is a vulnerability that occurs when an application dynamically includes files based on user-controlled input without proper validation.
Depending on implementation, attackers may:
- Include local files from the server (LFI)
- Include remote files hosted on attacker-controlled infrastructure (RFI)
File inclusion is commonly classified as CWE-98 — Improper Control of Filename for Include/Require Statement under the /glossary/cwe/ taxonomy.
When disclosed publicly, such issues receive a /glossary/cve/ identifier and are scored via /glossary/cvss/.
Local File Inclusion (LFI) 🔎
Local File Inclusion (LFI) allows attackers to include files already present on the target server.
This may expose:
- Configuration files
- Log files
- Application source code
- Credential files
In some environments, LFI can escalate into:
- Remote code execution (via log poisoning or upload chaining)
- Privilege escalation
- Persistence mechanisms
LFI often overlaps with /glossary/path-traversal/, but inclusion implies execution or processing rather than simple file reading.
Remote File Inclusion (RFI) 🌐
Remote File Inclusion (RFI) occurs when the application allows inclusion of external files from remote URLs.
If exploited, attackers may:
- Execute malicious scripts directly
- Deploy web shells
- Establish backdoors
- Gain full /glossary/remote-code-execution/
RFI typically requires the server configuration to permit remote includes.
Why File Inclusion Is High Risk 🎯
File inclusion vulnerabilities can serve as:
- A form of /glossary/initial-access/ when internet-facing
- A path to code execution
- A stepping stone to /glossary/privilege-escalation/
- An enabler for /glossary/persistence/
If exploitation is confirmed under /glossary/exploited-in-the-wild/ or the vulnerability appears in /glossary/known-exploited-vulnerabilities-kev/, remediation should be prioritized.
File Inclusion vs Path Traversal 🔄
| Vulnerability | Core Behavior |
|---|---|
| Path Traversal | Access unintended files |
| File Inclusion | Include and potentially execute unintended files |
| Command Injection | Execute OS-level commands |
| SQL Injection | Manipulate database queries |
While related, file inclusion typically has greater execution risk.
Defensive Considerations 🛡️
Preventing file inclusion requires:
- Strict input validation
- Avoiding dynamic file inclusion based on user input
- Whitelisting allowed files
- Disabling remote file inclusion in configuration
- Enforcing least privilege file permissions
- Monitoring suspicious file access patterns
Operational mitigation strategies are often documented under:
Why SECMONS Includes File Inclusion Clearly 📌
File inclusion vulnerabilities may appear minor during development review but can escalate quickly into full compromise.
Clear classification ensures defenders recognize when exposure moves from file disclosure into execution risk.
Authoritative References 📎
- MITRE CWE-98 Entry: https://cwe.mitre.org/data/definitions/98.html
- OWASP File Inclusion Overview: https://owasp.org/