CVE-2007-4949

Name of the Vulnerable Software and Affected Versions phpReactor version 1.2.7pl1

Description Multiple PHP remote file inclusion issues allow remote attackers to execute arbitrary PHP code via a URL in the pathtohomedir parameter to certain PHP files, including (1) ekilat.com-int.tpl.php, (2) phpreactor.org-top.tpl.php, or (3) ekilat.com-top.tpl.php in the examples/ directory. This issue is disputed since it only occurs when the product is incorrectly installed by placing examples/ under the web root.

Recommendations For phpReactor version 1.2.7pl1, avoid placing the examples/ directory under the web root to prevent exploitation. As a temporary workaround, consider restricting access to the pathtohomedir parameter in the affected PHP files until a proper installation configuration is applied.