CVE-2007-1364

dropafew < 0.2 - Arbitrary User Creation and Information Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-1364. PoCs published by Alexander Klink.

AI-analyzed exploit summary This exploit demonstrates SQL injection vulnerabilities in DropAFew 0.2 by creating a new user account via a crafted POST request. The lack of input sanitization allows arbitrary SQL commands to be executed.

Description

DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Alexander Klink · textwebappsphp
https://www.exploit-db.com/exploits/29831

This exploit demonstrates SQL injection vulnerabilities in DropAFew 0.2 by creating a new user account via a crafted POST request. The lack of input sanitization allows arbitrary SQL commands to be executed.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: DropAFew 0.2
No auth needed
Prerequisites: Network access to the target application · DropAFew 0.2 or prior versions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24861
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/33561
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/23400
Vendor Advisory x_refsource_misc
https://www.cynops.de/advisories/CVE-2007-1363.txt

Scores

EPSS 0.0225
EPSS Percentile 80.6%

Details

Status published
Products (1)
dropafew/dropafew < 0.2
Published Apr 11, 2007
Tracked Since Feb 18, 2026