CVE-2007-6553

Name of the Vulnerable Software and Affected Versions TeamCal Pro versions 3.1.000 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the CONF[app root] parameter to various PHP files, including tcuser.class.php, absencecount.inc.php, avatar.inc.php, csvhandler.class.php, functions.tcpro.php, header.html.inc.php, joomlajack.tcpro.php, menu.inc.php, other.inc.php, tcabsence.class.php, tcabsencegroup.class.php, tcallowance.class.php, tcannouncement.class.php, tcconfig.class.php, tcdaynote.class.php, tcgroup.class.php, tcholiday.class.php, tclogin.class.php, tcmonth.class.php, tctemplate.class.php, tcusergroup.class.php, and tcuseroption.class.php in the includes/ directory.

Recommendations For TeamCal Pro versions 3.1.000 and earlier, consider disabling the CONF[app root] parameter to prevent remote file inclusion attacks until a patch is available. Restrict access to the includes/ directory to minimize the risk of exploitation. Avoid using the CONF[app root] parameter in URLs to the affected PHP files until the issue is resolved.