CVE-2007-5117

FrontAccounting 1.13 - Remote Code Execution via path_to_root Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-5117. PoCs published by kezzap66345.

AI-analyzed exploit summary This is a writeup describing a Remote File Inclusion (RFI) vulnerability in FrontAccounting version 1.13. It details the vulnerable parameters and example exploitation URLs but does not include functional exploit code.

Description

Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/login.php and (2) includes/lang/language.php, different vectors than CVE-2007-4279.

Exploits (1)

exploitdb WRITEUP VERIFIED
by kezzap66345 · textwebappsphp
https://www.exploit-db.com/exploits/4456

This is a writeup describing a Remote File Inclusion (RFI) vulnerability in FrontAccounting version 1.13. It details the vulnerable parameters and example exploitation URLs but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: FrontAccounting <= 1.13
No auth needed
Prerequisites: Network access to the target application · Ability to host a malicious script on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/36796
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26962
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/25812
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/4456

Scores

EPSS 0.0355
EPSS Percentile 87.8%

Details

CWE
CWE-94
Status published
Products (1)
frontaccounting/frontaccounting 1.13
Published Sep 27, 2007
Tracked Since Feb 18, 2026