PT-2007-3280 · Scaradcontrol · Scaradcontrol

Published

2007-04-10

Updated

2017-10-11

CVE-2007-1935

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions ScarAdControl version 1.1

Description The issue allows remote attackers to execute arbitrary PHP code via a UNC share pathname or a local file pathname in the site parameter, which is accessed by the file exists function. This can be achieved by exploiting the PHP file inclusion vulnerability in the admin/index.php file.

Recommendations For ScarAdControl version 1.1, consider restricting access to the admin/index.php file and avoid using the file exists function with user-supplied input in the site parameter until a patch is available. As a temporary workaround, restrict the use of the site parameter to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2007-1935

Affected Products

Scaradcontrol

PT-2007-3280 · Scaradcontrol · Scaradcontrol

CVE-2007-1935

Related Identifiers

Affected Products

References · 3