CVE-2007-4588

Name of the Vulnerable Software and Affected Versions InterWorx Hosting Control Panel version 3.0.2

Description The issue allows remote attackers to inject arbitrary web script or HTML via the PATH INFO to index.php. Additionally, remote authenticated users can inject arbitrary web script or HTML via the PATH INFO to various PHP files, including nodeworx.php, users.php, lang.php, themes.php, setup.php, siteworx.php, packages.php, backup.php, import.php, scriptworx.php, resellers.php, reseller-packages.php, http.php, mail.php, ftp.php, mysql.php, sshd.php, nfs.php, cron.php, ip.php, firewall.php, updates.php, rrd.php, or cluster.php.

Recommendations For InterWorx Hosting Control Panel version 3.0.2, consider disabling access to the vulnerable PHP files, such as index.php, nodeworx.php, users.php, lang.php, themes.php, setup.php, siteworx.php, packages.php, backup.php, import.php, scriptworx.php, resellers.php, reseller-packages.php, http.php, mail.php, ftp.php, mysql.php, sshd.php, nfs.php, cron.php, ip.php, firewall.php, updates.php, rrd.php, and cluster.php, until a patch is available. As a temporary workaround, restrict access to the PATH INFO in these files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.