CVE-2007-4589

Name of the Vulnerable Software and Affected Versions InterWorx Hosting Control Panel (InterWorx-CP) version 3.0.2

Description The issue allows remote attackers to inject arbitrary web script or HTML via the PATH INFO to index.php. Additionally, remote authenticated users can inject arbitrary web script or HTML via the PATH INFO to various PHP files, including siteworx.php, users.php, ftp.php, mysql.php, domains.php, htaccess.php, scriptworx.php, stats.php, backup.php, restore.php, and httpd.php. There are also unspecified vectors to cron.php and prefs.php.

Recommendations For InterWorx Hosting Control Panel (InterWorx-CP) version 3.0.2, consider disabling access to the affected PHP files, such as index.php, siteworx.php, users.php, ftp.php, mysql.php, domains.php, htaccess.php, scriptworx.php, stats.php, backup.php, restore.php, and httpd.php, until a patch is available. As a temporary workaround, restrict access to the PATH INFO to prevent arbitrary web script or HTML injection. Avoid using the PATH INFO in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.