Local File Inclusion

A local file inclusion is a security vulnerability, where an external attacker can choose which file from the local system is processed by the called script.

This vulnerability is often used to access password files, such as /etc/passwd, or other hidden files. They might be read and display, or furthermore processed and modified.

<?php

// Input URL : http://vulnerable_host/preview.php?file=../../../../etc/passwd

file_get_contents($_GET['file']);

?>

Documentation

See also Exploiting Local File Inclusion (LFI) Using PHP Wrapper, Local File Inclusion (LFI): Understanding and Preventing LFI Attacks