Synopsis :

The remote web server contains several PHP scripts that are prone to
multiple flaws, including arbitrary file inclusion.

Description :

The version of yappa-ng installed on the remote host is prone to
multiple file include and cross-site scripting vulnerabilities due to
its failure to sanitize user-supplied script input when calling
various include scripts directly.

By exploiting the file include vulnerabilities, an attacker can read
arbitrary files on the remote host and possibly even run arbitrary
code, subject to the privileges of the web server process. And by
exploiting the cross-site scripting vulnerabilities, he can cause
arbitrary script and HTML code to be run in a user's browser within
the context of the affected web site.

See also :

http://www.nessus.org/u?975eec2a
http://sourceforge.net/project/shownotes.php?release_id=323206

Solution :

Upgrade to yappa-ng 2.3.2 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true