CVE-2007-0182

Name of the Vulnerable Software and Affected Versions magic photo storage website (affected versions not specified)

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the config[site path] parameter to various PHP files. This includes files such as admin password.php, add welcome text.php, admin email.php, add templates.php, admin paypal email.php, approve member.php, delete member.php, index.php, list members.php, membership pricing.php, and send email.php in the admin/ directory. Additionally, it affects config.php and db config.php in the include/ directory, as well as multiple files in the user/ directory, including add category.php, add news.php, change catalog template.php, couple milestone.php, couple profile.php, delete category.php, index.php, login.php, logout.php, register.php, upload photo.php, user catelog password.php, user email.php, user extend.php, and user membership password.php.

Recommendations As a temporary workaround, consider disabling the config[site path] parameter until a patch is available. Restrict access to the affected PHP files to minimize the risk of exploitation. Avoid using the config[site path] parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.