CVE-2008-7193

Name of the Vulnerable Software and Affected Versions PHPKIT version 1.6.4 PL1

Description The issue allows remote attackers to conduct cross-site request forgery (CSRF) attacks. This is possible because the session ID is included in the URL, and the PHPKITSID parameter can be read from the HTTP Referer. Attackers can use this information to modify the user profile via the "upload files/include.php" endpoint or create a new administrator via the "upload files/pk/include.php" endpoint.

Recommendations For PHPKIT version 1.6.4 PL1, consider disabling the use of the PHPKITSID parameter in the HTTP Referer as a temporary workaround until a patch is available. Restrict access to the "upload files/include.php" and "upload files/pk/include.php" endpoints to minimize the risk of exploitation.