CVE-2007-0831

Name of the Vulnerable Software and Affected Versions: Atsphp version 5.0.1

Description: Multiple PHP remote file inclusion issues allow remote attackers to execute arbitrary PHP code via a URL in the CONF[path] parameter to API endpoints such as "index.php", "sources/usercp.php", or "sources/admin.php". However, it is noted that another researcher has disputed this issue, stating that CONF[path] is defined before use in "index.php" and that CONF[path] inclusion cannot occur through a direct request to other affected files, and also mentioning that "usercp.php" is a typo of "user cp.php".

Recommendations: For Atsphp version 5.0.1, as a temporary workaround, consider restricting access to the CONF[path] parameter in the affected API endpoints until a patch is available. Additionally, verify the correct filename for the user control panel, using "user cp.php" instead of "usercp.php" to avoid potential issues.