Main Vulnerability Database Vulnerabilities #VU110405

Path traversal in PHP - CVE-2007-2369

Published: October 11, 2017 / Updated: June 8, 2025

Vulnerability identifier: #VU110405

CSH Severity: Medium

CVSS v4.0:

CVE-ID: CVE-2007-2369

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: PHP Group

Affected software:
PHP

Detailed vulnerability description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in picture.php in WebSPELL 4.01.02 and earlier, when PHP before 4.3.0 is used,. A remote authenticated attacker can send a specially crafted HTTP request and remote attackers to read arbitrary files via a . (dot dot) in the id parameter. Successful exploitation requires that PHP before 4.3.0 is used.

How to mitigate CVE-2007-2369

Install update from vendor's website.

Sources

http://osvdb.org/34638
http://www.vupen.com/english/advisories/2007/1274
https://www.exploit-db.com/exploits/3673

Path traversal in PHP - CVE-2007-2369

Detailed vulnerability description

How to mitigate CVE-2007-2369

Sources

Please verify you're human