CVE-2007-3217

Name of the Vulnerable Software and Affected Versions: Prototype of an PHP application version 0.1

Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in the path inc parameter to various PHP files, including (1) index.php in gestion/, (2) identification.php, (3) disconnect.php, (4) loginliste.php, (5) loginmodif.php, (6) index.php, and (7) ident.inc.php in ident/, (8) menuadministration.php and (9) menuprincipal.php in menu/, (10) param.inc.php in param/, (11) index.php in plugins/phpgacl/, and (12) index.php and (13) common.inc.php. API Endpoints affected include "index.php", "identification.php", "disconnect.php", "loginliste.php", "loginmodif.php", "ident.inc.php", "menuadministration.php", "menuprincipal.php", "param.inc.php", and "common.inc.php". The path inc parameter is vulnerable.

Recommendations: As a temporary workaround, consider restricting access to the path inc parameter in the affected PHP files until a patch is available. Avoid using the path inc parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.