CVE-2007-3632

Name of the Vulnerable Software and Affected Versions LimeSurvey version 1.49RC2

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to various PHP files, including (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php in admin/classes/pear/, or (5) Worksheet.php, (6) Parser.php, (7) Workbook.php, (8) Format.php, or (9) BIFFwriter.php in admin/classes/pear/Spreadsheet/Excel/Writer/.

Recommendations For LimeSurvey version 1.49RC2, consider disabling remote file inclusion functionality until a patch is available. Restrict access to the homedir parameter in the affected PHP files to minimize the risk of exploitation. Avoid using the homedir parameter in the affected API endpoints until the issue is resolved.