CVE-2007-4886 Information

Description

Incomplete blacklist vulnerability in index.php in AuraCMS 1.x and probably 2.x allows remote attackers to execute arbitrary PHP code via a (1) UNC share pathname or a (2) ftp (3) ftps or (4) ssh2.sftp URL in the pilih parameter for which PHP remote file inclusion is blocked only for http URLs.

Reference

http://osvdb.org/40506 http://www.auracms.org/?pilih=news&aksi=lihat&id=117 https://www.exploit-db.com/exploits/4390