This is similar to a LFI, however with a Remote File Inclusion (RFI), a file from another website is loaded rather than a file from the same website.

Now we are going to add some code to our folio.php file under /components/com_folio, which will make it vulnerable to remote file inclusion. Obviously this code isn't required for our component and is only to demonstrate the vulnerability. You can add this code near the top of the file.

if($controller = JRequest::getVar('controller'))
{
  require_once $controller;
}

This time, create demo.txt and put it on another site, for example http://localhost/joomlatest/tmp/demo.txt. We won't give it a PHP extension as we will try to disguise it as a text file. Just because it doesn't have ...