Family: CGI abuses --> Category: attack
SPiD lang_path Remote File Include Vulnerability Vulnerability Scan
Vulnerability Scan Summary
Checks for lang_path variable file include vulnerability in SPiD
Detailed Explanation for this Vulnerability Test
The remote web server contains a PHP script that is affected by a
remote file include issue.
The remote host is running SPiD, a free, PHP-based photo gallery.
The installed version of SPiD allows remote attackers to control the
'lang_path' variable used when including PHP code in the
'lang/lang.php' script. By leveraging this flaw, a possible hacker may be
able to view arbitrary files on the remote host or to execute
arbitrary PHP code, possibly taken from third-party hosts.
See also :
Either ensure that PHP's 'magic_quotes_gpc' setting is enabled and
that 'allow_url_fopen' and 'register_globals' are disabled or upgrade
to SPiD version 1.3.1.
Medium / CVSS Base Score : 6
Click HERE for more information and discussions on this network vulnerability scan.