<P> A file inclusion vulnerability is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time . This issue is caused when an application builds a path to executable code using an attacker - controlled variable in a way that allows the attacker to control which file is executed at run time . A file include vulnerability is distinct from a generic Directory Traversal Attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution . Successful exploitation of a file include vulnerability will result in remote code execution on the web server that runs the affected web application . </P> <P> Remote File Inclusion (RFI) occurs when the web application downloads and executes a remote file . These remote files are usually obtained in the form of an HTTP or FTP URI as a user - supplied parameter to the web application . </P> <P> Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution . This issue can still lead to remote code execution by including a file that contains attacker - controlled data such as the web server's access logs . </P>

Php is the only language vulnerable to malicious file execution