If we use the View Source button in DVWA, we can see the server-side source code is as follows:

<?php 
$file = $_GET['page']; //The page we wish to display  
?> 

This means the page variable's value is passed directly to the filename, and then it is included in the code. With this, we can include and execute any PHP or HTML file we want in the server, as long as it is accessible through the network. To be vulnerable to RFI, the server must include allow_url_fopen and allow_url_include in its configuration. Otherwise, it will only be LFI, if the file inclusion vulnerability is present.