LFI & RFI are commonly found in poorly written PHP code, allows an attacker to include a local or remote PHP file  into the webservers running