This script is Copyright (C) 2009-2012 Tenable Network Security, Inc.
The remote web server contains a PHP application that allows execution
of arbitrary PHP code.
The remote host is running phpSlash, a PHP weblog and content
management system that started out as a port of the Perl code used to
The installed version of phpSlash fails to validate user-supplied
input to the 'fields' parameter of the 'index.php' script before using
it to call 'eval()' in the 'tz_env::generic'' method. Regardless of
PHP's 'register_globals' and 'magic_quotes_gpc' settings, an
unauthenticated attacker can exploit this issue to inject arbitrary
PHP code and execute it on the remote host, subject to the privileges
of the web server user id.
Unknown at this time.
Risk factor :
High / CVSS Base Score : 7.5
CVSS Temporal Score : 7.1
Public Exploit Available : true