CVE-2007-4934

Published: Sep 18, 2007Modified: Apr 23, 2026

4.6

Vector

AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 3.9 / Impact: 6.4

Source: NVD

Description

Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allow remote attackers to execute arbitrary PHP code via a URL in the PHPFFL_FILE_ROOT parameter to (1) program_files/livedraft/livedraft.php or (2) program_files/livedraft/admin.php.

Affected (1)

Products: Phpffl: Phpffl

Phpffl

1 product

Phpffl

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Phpffl Phpffl	Version 1.24

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (20)

http://arfis.wordpress.com/2007/09/14/rfi-02-phpffl-fantasy-football-league-manager/

Source: cve@mitre.org

http://osvdb.org/37085

Source: cve@mitre.org

http://osvdb.org/37086

Source: cve@mitre.org

http://secunia.com/advisories/26812

Source: cve@mitre.org

http://sourceforge.net/forum/forum.php?forum_id=735906

Source: cve@mitre.org

http://sourceforge.net/project/shownotes.php?release_id=539716&group_id=137531

Source: cve@mitre.org

Patch

http://www.securityfocus.com/bid/25667

Source: cve@mitre.org

Exploit

http://www.vupen.com/english/advisories/2007/3176

Source: cve@mitre.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/36606

Source: cve@mitre.org

https://www.exploit-db.com/exploits/4406

Source: cve@mitre.org

http://arfis.wordpress.com/2007/09/14/rfi-02-phpffl-fantasy-football-league-manager/