Arbitrary Remote PHP File Include Vulnerability

(March 5, 2005)

It took us a few years but our products have finally got the doubtful honor of being mentioned in BugTraq. BugTraq is a "... full disclosure mailing list for the detailed discussion and announcement of computer security vulnerabilities ...".

Today we have been noticed that our Form Mail Script, Tell A Friend Script and Download Center Lite have a remote PHP file include vulnerability. That means that under certain circumstances a third party can include arbitrary PHP code.

We already have fixed that security hole. The new versions are available for download:

We strongly recommend that everyone who is using one of these scripts installs the new version. You need to replace the file "index.php" and the whole folder "inc".

If you have questions, feel free to contact us in our support forum.