CVE-2007-5014 - Vulnerability Details - OpenCVE

Multiple PHP remote file inclusion vulnerabilities in pSlash 0.70 allow remote attackers to execute arbitrary PHP code via a URL in (1) the lvc_admin_dir parameter to modules/visitors2/admin/view-archiver.inc.php or (2) the lvc_include_dir parameter to modules/visitors2/include/menus.inc.php. NOTE: the modules/visitors2/include/config.inc.php vector is already covered by CVE-2006-4373. NOTE: vector 1 is disputed by CVE because PHP encounters a fatal instantiation error on a direct request for the file, before reaching the include statement.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Derek Leung	Pslash

Configuration 1 [-]

cpe:2.3:a:derek_leung:pslash:0.70:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://arfis.wordpress.com/2007/09/14/rfi-03-pslash/
http://osvdb.org/38288
http://osvdb.org/38289

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-09-20T21:00:00

Updated: 2024-08-07T15:17:27.989Z

Reserved: 2007-09-20T00:00:00

Link: CVE-2007-5014

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-09-20T21:17:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-5014

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-09-14T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple PHP remote file inclusion vulnerabilities in pSlash 0.70 allow remote attackers to execute arbitrary PHP code via a URL in (1) the lvc_admin_dir parameter to modules/visitors2/admin/view-archiver.inc.php or (2) the lvc_include_dir parameter to modules/visitors2/include/menus.inc.php. NOTE: the modules/visitors2/include/config.inc.php vector is already covered by CVE-2006-4373. NOTE: vector 1 is disputed by CVE because PHP encounters a fatal instantiation error on a direct request for the file, before reaching the include statement."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2008-11-15T10:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "38288", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/38288"}, {"name": "38289", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/38289"}, {"tags": ["x_refsource_MISC"], "url": "http://arfis.wordpress.com/2007/09/14/rfi-03-pslash/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-5014", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple PHP remote file inclusion vulnerabilities in pSlash 0.70 allow remote attackers to execute arbitrary PHP code via a URL in (1) the lvc_admin_dir parameter to modules/visitors2/admin/view-archiver.inc.php or (2) the lvc_include_dir parameter to modules/visitors2/include/menus.inc.php. NOTE: the modules/visitors2/include/config.inc.php vector is already covered by CVE-2006-4373. NOTE: vector 1 is disputed by CVE because PHP encounters a fatal instantiation error on a direct request for the file, before reaching the include statement."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "38288", "refsource": "OSVDB", "url": "http://osvdb.org/38288"}, {"name": "38289", "refsource": "OSVDB", "url": "http://osvdb.org/38289"}, {"name": "http://arfis.wordpress.com/2007/09/14/rfi-03-pslash/", "refsource": "MISC", "url": "http://arfis.wordpress.com/2007/09/14/rfi-03-pslash/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T15:17:27.989Z"}, "title": "CVE Program Container", "references": [{"name": "38288", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/38288"}, {"name": "38289", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/38289"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://arfis.wordpress.com/2007/09/14/rfi-03-pslash/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-5014", "datePublished": "2007-09-20T21:00:00", "dateReserved": "2007-09-20T00:00:00", "dateUpdated": "2024-08-07T15:17:27.989Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:derek_leung:pslash:0.70:*:*:*:*:*:*:*", "matchCriteriaId": "BD4193E3-DAF0-4978-AE41-C8F0D145D429", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple PHP remote file inclusion vulnerabilities in pSlash 0.70 allow remote attackers to execute arbitrary PHP code via a URL in (1) the lvc_admin_dir parameter to modules/visitors2/admin/view-archiver.inc.php or (2) the lvc_include_dir parameter to modules/visitors2/include/menus.inc.php. NOTE: the modules/visitors2/include/config.inc.php vector is already covered by CVE-2006-4373. NOTE: vector 1 is disputed by CVE because PHP encounters a fatal instantiation error on a direct request for the file, before reaching the include statement."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inclusi\u00f3n remota de archivo en PHP en el pSlash 0.70 permiten a atacantes remotos ejecutar c\u00f3digo PHP de su elecci\u00f3n mediante una URL en el (1) par\u00e1metro lvc_admin_dir del modules/visitors2/admin/view-archiver.inc.php o (2) en el par\u00e1metro lvc_include_dir del modules/visitors2/include/menus.inc.php. NOTA: el vector modules/visitors2/include/config.inc.php ya se ha cubierto en la CVE-2006-4373. NOTA2: el vector 1 esta impugnado por la CVE porque el PHP encuentra una instancia de un error fatal en una petici\u00f3n directa al fichero, antes de llegar a la declaraci\u00f3n de inclusi\u00f3n."}], "id": "CVE-2007-5014", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-09-20T21:17:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://arfis.wordpress.com/2007/09/14/rfi-03-pslash/"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/38288"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/38289"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://arfis.wordpress.com/2007/09/14/rfi-03-pslash/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/38288"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/38289"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}