Origin:http://iron.randombase.com/2008/05/13/php-source-auditor-4-released/

All packed up & ready for your enjoyment: PHP Source Auditor 4! So, if you have (most likely) never heard of it, this is the deal:

PSA4 is a Perl script that connects to your local webhost and scans all files (recursively) in the www root, for vulnerabilities. It scans for:

1. Remote File Inclusion
2. Remote Command Execution
3. Remote Code Execution
4. Cross Site Scripting
5. SQL injection (very weak scanning on this though)
6. Local File Inclusion (results sometimes get buggy)

The difference with other scanners is, it actually can tell whether the script is vulnerable or not since it exploits it on the fly by entering weird data into the variables. You can download it right here and (for now) nowhere else :).