#VU110405 Path traversal in PHP - CVE-2007-2369
Published: October 11, 2017 / Updated: June 8, 2025
Vulnerability identifier: #VU110405
Vulnerability risk: Medium
CVSSv4.0:
CVE-ID: CVE-2007-2369
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
PHP
PHP
Software vendor:
PHP Group
PHP Group
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in picture.php in WebSPELL 4.01.02 and earlier, when PHP before 4.3.0 is used,. A remote authenticated attacker can send a specially crafted HTTP request and remote attackers to read arbitrary files via a . (dot dot) in the id parameter. Successful exploitation requires that PHP before 4.3.0 is used.
Remediation
Install update from vendor's website.