Avoiding File Inclusion - Remote File Include (RFI)/ Local File Include (LFI)

File Inclusion is one of the common vulnerabilities in web applications. It happens because of 'include' functionality. In this, malicious files are forced to be included in system from remote location or locally. Most of the times, proper validations are not abide on inputs to the system which leads to adding malicious scripts, executable files entering into the system. This vulnerability can lead to maliciously executing unwanted files on the server or reveal sensitive files data to attackers, etc.
There are two types of File Inclusion Vulnerability
  1. Remote File Include (RFI)
  2. Local File Include (LFI)
How It Works:
We were working on a PHP project which needed a strict security measures. To handle both the file intrusion attacks, we have added a separate PHP file to state which files need to included and which not. Along with this, we also have verified the 3rd Party Libraries to understand if any file inclusion is happening there. 3rd Party Libraries are more prone to file inclusion so we have handled it separately.
You can refer below code that we have added for avoiding File Inclusion Attacks:

$link = $_SERVER['PHP_SELF'];
$link_array = explode('/', $link);
$page = end($link_array);
switch ($page) {
    case "terms_conditions":
        include($page . ".php");
    case "contact_us":
        include($page . ".php");
    case "privacy":
        include($page . ".php");
        include_once './header.php';
        include_once './banner.php';
        include_once './home.php';
        include_once './footer.php';

You can see, only terms_conditions, contact_us, privacy pages to be included and by default header, banner, home and footer pages are supposed to be added. Apart from these files, nothing is going to be included.


Michael Patterson sat down with the CEO of Boston Byte, Mustapha Shaikh to discuss the significance and rapid digitization of the healthcar...