CVE-2007-5053

Name of the Vulnerable Software and Affected Versions iziContents versions 1 RC6 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code via specific parameters in various PHP files. This is due to incomplete blacklist vulnerabilities, which are related to missing checks for the inclusion of certain URLs. The affected parameters include admin home in modules/poll/poll summary.php, rootdp in include/db.php, and language home in several other files, such as search/search.php, poll/inlinepoll.php, poll/showpoll.php, links/showlinks.php, and links/submit links.php. An example of exploitation is using an ftps:// URL.

Recommendations For iziContents versions 1 RC6 and earlier, consider disabling the affected parameters, such as admin home, rootdp, and language home, until a patch is available. Restrict access to the vulnerable modules, including modules/poll/poll summary.php, include/db.php, search/search.php, poll/inlinepoll.php, poll/showpoll.php, links/showlinks.php, and links/submit links.php, to minimize the risk of exploitation. Avoid using URLs that could be used to exploit the missing checks in modules/moduleSec.php and include/includeSec.php. At the moment, there is no information about a newer version that contains a fix for this issue.