Severity: Medium to Critical
File inclusion vulnerabilities occur when user input is used in the inclusion of source code, allowing an attacker to force local or remote code to execute on the server. These vulnerabilities tend to apply to dynamic languages like PHP, where runtime importation of code is common.
Depending on the details of the inclusion, attackers may be able to run code on the server from either a local or remote file. If the vulnerability is local-only, attackers may not be able to run their own code, limiting the impact of this vulnerability.
Whenever possible, user input should not be used in the construction of paths for code inclusion. However, if this is not an option then it is imperative that this user input be put through a very strict whitelist.