CVE-2007-1633

Vulnerability

A directory traversal vulnerability exists in bbcode_ref.php within the Giorgio Ciranni Splatt Forum 4.0 RC1 module for PHP-Nuke. The $name parameter (line 17) is used directly in an include statement: include("modules/".$module_name."/functions.php"); (line 19) without sanitization, allowing a .. (dot dot) sequence to traverse directories. Affected version: Splatt Forum 4.0 RC1.

Exploitation

An unauthenticated remote attacker can send a crafted name parameter containing ../ paths to include arbitrary local files. The exploit demonstrated in [1] uses path traversal to include an Apache HTTP Server log file (/var/log/apache/access.log) that has been pre-seeded with PHP code via HTTP requests to the server. No authentication or special privileges are required; only network access to the vulnerable PHP-Nuke installation.

Impact

Successful exploitation allows arbitrary PHP code execution on the server as the web server user. The attacker can achieve full remote code execution, potentially leading to complete compromise of the web application and underlying system, including data exfiltration, modification, or denial of service.

Mitigation

The Splatt Forum 4.0 RC1 module is an unmaintained module for the now-outdated PHP-Nuke platform. No official patch has been released; the recommended action is to remove or disable the module. Upgrade to a supported forum solution is strongly advised. As of the publication date (2007-03-23), this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.