CVE-2007-4886

Name of the Vulnerable Software and Affected Versions: AuraCMS versions 1.x through 2.x

Description: The issue allows remote attackers to execute arbitrary PHP code via specific pathways, including UNC share pathnames or certain URL types, by exploiting the pilih parameter in index.php. This is due to an incomplete blacklist that only blocks PHP remote file inclusion for http URLs, leaving other protocols vulnerable.

Recommendations: For AuraCMS versions 1.x through 2.x, consider restricting access to the pilih parameter in index.php to minimize the risk of exploitation until a proper fix is applied. As a temporary workaround, avoid using UNC share pathnames, ftp, ftps, or ssh2.sftp URLs in the pilih parameter. At the moment, there is no information about a newer version that contains a fix for this vulnerability.