Remote file inclusion (RFI) is a type of hacker attack that occurs predominantly on websites. This attack happens if the administrator or website builder does not include proper validation and anyone who wants is able to sneak a file into the system. With this attack, the hacker injects a remote file into the server, and the contents of the file wreak havoc on the server according to what the hacker coded. Some remote file inclusion attacks just add a random string of text to the website, while others can cause something more malicious, such as denial of service (DoS), data theft, or further vulnerabilities on the website.
All websites are made up of many files — for images, coding and other features. If the administrator does not include validation rules that check for incoming files, then a remote file inclusion is one of the easiest attacks for a hacker to perform. The hacker just has to manipulate the website address to trick it into including a new file, and the remote file will be uploaded to the server.
The remote file itself is usually a text file that contains some sort of malicious code. In the best scenario, the hacker just uses remote file inclusion to add random text to the website to deface it. This is annoying but not necessarily dangerous. Administrators will find out their system is vulnerable and, in this way, the hacker may be performing a service by alerting administrators to the security hole.
More often, however, a remote file inclusion attack is much worse for the website owner. After the script in the text file executes inside the server, it can cause a DoS attack by constantly pinging the server until the website no longer functions. Any data stored in the database also can be stolen from the website.
Another reason for using remote file inclusion is to make the website weaker to other attacks. When the code executes, it can easily create large holes in an otherwise secure website, which is what a hacker might need to get farther into the website, server or database. This might be difficult for the administrator to fix because, once the code is executed, it can change or manipulate all the other files associated with the website.
To keep from being hacked, administrators usually place validation rules on external files. Better still, external files are not allowed into the system through such loopholes. RFI is an easy hack for both new and advanced hackers but, if the administrator ensures validation of all files, the remote file should not be able to sneak in.