CVE-2007-4485

PHP remote file inclusion vulnerability in visitor.php in Butterfly online visitors counter 1.08, when used with certain older versions of PHP with improper SERVER superglobal handling, allows remote attackers to execute arbitrary PHP code via a URL in the _SERVER[DOCUMENT_ROOT] parameter. NOTE: it could be argued that this vulnerability is caused by a problem in PHP and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in Butterfly online visitors counter.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://securityvulns.com/Rdocument845.html	Exploit
http://securityvulns.com/source26994.html
http://osvdb.org/38327
https://exchange.xforce.ibmcloud.com/vulnerabilities/36147
http://www.securityfocus.com/archive/1/482006/100/0/threaded
http://www.securityfocus.com/archive/1/477253/100/0/threaded

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:butterfly:butterfly:1.08:*:*:*:*:*:*:*

Information

Published : 2007-08-22 16:17

Updated : 2018-10-15 14:35

NVD link : CVE-2007-4485

Mitre link : CVE-2007-4485

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

butterfly

butterfly

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://securityvulns.com/Rdocument845.html", "name": "http://securityvulns.com/Rdocument845.html", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://securityvulns.com/source26994.html", "name": "http://securityvulns.com/source26994.html", "tags": [], "refsource": "MISC"}, {"url": "http://osvdb.org/38327", "name": "38327", "tags": [], "refsource": "OSVDB"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36147", "name": "butterfly-visitor-file-include(36147)", "tags": [], "refsource": "XF"}, {"url": "http://www.securityfocus.com/archive/1/482006/100/0/threaded", "name": "20071010 Vulnerabilities digest", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/archive/1/477253/100/0/threaded", "name": "20070821 Vulnerabilities digest", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "PHP remote file inclusion vulnerability in visitor.php in Butterfly online visitors counter 1.08, when used with certain older versions of PHP with improper SERVER superglobal handling, allows remote attackers to execute arbitrary PHP code via a URL in the _SERVER[DOCUMENT_ROOT] parameter. NOTE: it could be argued that this vulnerability is caused by a problem in PHP and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in Butterfly online visitors counter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2007-4485", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}}, "publishedDate": "2007-08-22T23:17Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:butterfly:butterfly:1.08:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-15T21:35Z"}