The remote web server contains a PHP application that is affected by remote file include vulnerabilities. Description : The remote host is running phpListPro, a web site voting/ranking tool written in PHP. The installed version of phpListPro fails to sanitize user input to the 'returnpath' parameter of the 'config.php', 'editsite.php', 'addsite.php', and 'in.php' scripts before using it to include PHP code from other files. An unauthenticated attacker may be able to read arbitrary local files or include a file from a remote host that contains commands which will be executed on the remote host subject to the privileges of the web server process. These flaws are only exploitable if PHP's 'register_globals' is enabled.

Edit the affected files as discussed in the vendor advisory above. CVSS Base Score : 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

• http://archives.neohapsis.com/archives/bugtraq/2006-04/0206.html
• http://archives.neohapsis.com/archives/bugtraq/2006-05/0153.html
• http://archives.neohapsis.com/archives/bugtraq/2006-05/0199.html

---

Updated on 2017-03-28