CVE-2007-0486

Name of the Vulnerable Software and Affected Versions Openads (aka phpAdsNew) version 2.0.7

Description Multiple PHP remote file inclusion issues allow remote attackers to execute arbitrary PHP code via a URL in the (1) phpAds geoPlugin parameter to "libraries/lib-remotehost.inc", the (2) filename parameter to "admin/report-index", or the (3) phpAds config[my footer] parameter to "admin/lib-gui.inc". The vendor has disputed this issue, stating that the relevant variables are used within function definitions.

Recommendations For Openads (aka phpAdsNew) version 2.0.7, consider disabling the phpAds geoPlugin, filename, and phpAds config[my footer] parameters to prevent exploitation until a patch is available. Restrict access to the "libraries/lib-remotehost.inc", "admin/report-index", and "admin/lib-gui.inc" files to minimize the risk of exploitation. Avoid using the phpAds geoPlugin, filename, and phpAds config[my footer] parameters in the affected API endpoints until the issue is resolved.