CVE-2009-2218

Name of the Vulnerable Software and Affected Versions phpCollegeExchange version 0.1.5c

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the home parameter to several PHP files, including (1) i head.php, (2) i nav.php, (3) user new 2.php, or (4) house/myrents.php, when register globals is enabled. Additionally, similar issues exist in (5) allbooks.php, (6) home.php, or (7) mybooks.php in the books/ directory.

Recommendations For phpCollegeExchange version 0.1.5c, consider disabling the register globals setting to prevent exploitation. As a temporary workaround, restrict access to the vulnerable PHP files, including i head.php, i nav.php, user new 2.php, house/myrents.php, allbooks.php, home.php, and mybooks.php, until a patch is available. Avoid using the home parameter in the affected PHP files until the issue is resolved.