CVE-2007-1982

really_simple_php_and_ajax < 2007-03-23 - Remote File Inclusion

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-1982. PoCs published by Hamid Ebadi.

AI-analyzed exploit summary This exploit demonstrates a remote file inclusion vulnerability in RSPA (Really Simple PHP and Ajax) due to improper input validation in the '__IncludeFilePHPClass', '__ClassPath', and '__class' parameters. Attackers can include arbitrary PHP files from local or external resources, leading to remote code execution.

Description

Multiple PHP remote file inclusion vulnerabilities in Really Simple PHP and Ajax (RSPA) 2007-03-23 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) __IncludeFilePHPClass, (2) __ClassPath, and (3) __class parameters to (a) rspa/framework/Controller_v5.php, and (b) rspa/framework/Controller_v4.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Hamid Ebadi · textwebappsphp

https://www.exploit-db.com/exploits/3641

View Code ZIP pw:eip

This exploit demonstrates a remote file inclusion vulnerability in RSPA (Really Simple PHP and Ajax) due to improper input validation in the '__IncludeFilePHPClass', '__ClassPath', and '__class' parameters. Attackers can include arbitrary PHP files from local or external resources, leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: RSPA (Really Simple PHP and Ajax) version rspa-2007-03-23

No auth needed

Prerequisites: Network access to the vulnerable RSPA application · Ability to host a malicious PHP file on an external server

MITRE ATT&CK