CVE-2007-0863

Name of the Vulnerable Software and Affected Versions: Trevorchan versions 0.7 and earlier

Description: A remote file inclusion issue allows remote attackers to execute arbitrary code via the tc config[rootdir] parameter to several API endpoints, including "upgrade.php", "paint save.php", "menu.php", "manage.php", and "banned.php". However, this issue has been disputed by reliable third parties, who claim that the variable is set before use in "config.php".

Recommendations: For Trevorchan versions 0.7 and earlier, as a temporary workaround, consider restricting access to the vulnerable API endpoints until the issue is resolved. Avoid using the tc config[rootdir] parameter in the affected endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.