CVE-2007-4744

AnyInventory 1.9.1 and 2.0 - Remote File Inclusion via DIR_PREFIX Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-4744. PoCs published by ThE TiGeR.

AI-analyzed exploit summary This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in AnyInventory 2.0 via the `environment.php` script by manipulating the `DIR_PREFIX` parameter. The attacker can include arbitrary remote files, potentially leading to remote code execution.

Description

PHP remote file inclusion vulnerability in environment.php in AnyInventory 1.9.1 and 2.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the DIR_PREFIX parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by ThE TiGeR · textwebappsphp

https://www.exploit-db.com/exploits/4365

View Code ZIP pw:eip

This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in AnyInventory 2.0 via the `environment.php` script by manipulating the `DIR_PREFIX` parameter. The attacker can include arbitrary remote files, potentially leading to remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: AnyInventory 2.0

No auth needed

Prerequisites: Remote file inclusion must be enabled on the target server · Attacker-controlled remote file with malicious code

MITRE ATT&CK