CVE-2007-2201

Post Revolution 6.6 and 7.0 RC2 - Remote File Inclusion via dir Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-2201. PoCs published by InyeXion.

AI-analyzed exploit summary This exploit demonstrates a remote file inclusion vulnerability in Post Revolution 6.6 / 7.0 RC2. The vulnerable code in `common.php` and `preview_post_completo.php` allows an attacker to include arbitrary files via the `dir` parameter, leading to potential remote code execution.

Description

Multiple PHP remote file inclusion vulnerabilities in Post Revolution 6.6 and 7.0 RC2 allow remote attackers to execute arbitrary PHP code via a URL in the dir parameter to (1) common.php or (2) themes/default/preview_post_completo.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by InyeXion · textwebappsphp

https://www.exploit-db.com/exploits/3785

View Code ZIP pw:eip

This exploit demonstrates a remote file inclusion vulnerability in Post Revolution 6.6 / 7.0 RC2. The vulnerable code in `common.php` and `preview_post_completo.php` allows an attacker to include arbitrary files via the `dir` parameter, leading to potential remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Post Revolution 6.6 / 7.0 Release Candidate 2

No auth needed

Prerequisites: Network access to the target application · PHP remote file inclusion conditions (e.g., allow_url_include enabled)

MITRE ATT&CK