====================================================
Virtual Hosting Control System v2.2 (www.vhcs.net) 
Remote PHP Code Injection & Command Execution
----------------------------------------------------
Author: frame at kernelpanik.org
Tipe: Remote
Risk: Medium/High
=====================================================

VHCS is a control panel for hosting providers. It's free 
software and provides advanced features. It's written on PHP
and allows remote code execution same way we reported previously:
A non-initialized variable is available from a remote request
using for injecting content.

File which content that variable is is /gui/include/sql.php and
non-initialized variable is $include_path. 
 
== Code snippet (/gui/include/sql.php)
<?php
(..)
global $include_path;

include ($include_path.'adodb/adodb.inc.php');
//include 'adodb/tohtml.inc.php';
include ($include_path.'adodb/adodb-pager.inc.php');
(..)
?>
 
== Exploit
Same last 5 years.

== Patch
Same last 5 years.

== Credits
Same last 5 years.