PT-2007-2703 · Webmobo · Webmobo Wb News

Published

2007-03-07

Updated

2018-10-16

CVE-2007-1288

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Webmobo WB News versions 1.4.1 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the config[installdir] parameter to API endpoints such as "comment.php", "themes.php", "directory.php", and "sendmsg.php" in the "admin/" directory.

Recommendations For Webmobo WB News versions 1.4.1 and earlier, consider restricting access to the admin/ directory and its API endpoints, specifically "comment.php", "themes.php", "directory.php", and "sendmsg.php", to minimize the risk of exploitation. Avoid using the config[installdir] parameter in these endpoints until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2007-1288

Affected Products

Webmobo Wb News

PT-2007-2703 · Webmobo · Webmobo Wb News

CVE-2007-1288

Related Identifiers

Affected Products

References · 8