CVE-2007-4934

phpFFL 1.24 - Remote Code Execution via PHPFFL_FILE_ROOT Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-4934. PoCs published by Dj7xpl.

AI-analyzed exploit summary This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in phpFFL 1.24. The vulnerability arises from insecure usage of the `PHPFFL_FILE_ROOT` parameter in `require()` statements, allowing remote attackers to include arbitrary files.

Description

Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allow remote attackers to execute arbitrary PHP code via a URL in the PHPFFL_FILE_ROOT parameter to (1) program_files/livedraft/livedraft.php or (2) program_files/livedraft/admin.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Dj7xpl · textwebappsphp

https://www.exploit-db.com/exploits/4406

View Code ZIP pw:eip

This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in phpFFL 1.24. The vulnerability arises from insecure usage of the `PHPFFL_FILE_ROOT` parameter in `require()` statements, allowing remote attackers to include arbitrary files.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: phpFFL 1.24

No auth needed

Prerequisites: Remote file inclusion must be enabled on the target server · Attacker must be able to reach the vulnerable endpoint

MITRE ATT&CK