CVE-2007-2422

Name of the Vulnerable Software and Affected Versions Comdev One Admin Modules Builder (modbuild) version 4.1

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the path[docroot] parameter to (1) "config-bak.php" or (2) "config.php" endpoints. However, it's noted that unmodified scripts set the applicable variable to an empty string, and reasonable modified copies would use a fixed pathname string.

Recommendations For Comdev One Admin Modules Builder (modbuild) version 4.1, consider restricting access to the "config-bak.php" and "config.php" endpoints to minimize the risk of exploitation. As a temporary workaround, avoid using the path[docroot] parameter in these endpoints until the issue is resolved.