A vulnerability classified as critical has been found in Trackeur 1. This affects an unknown function of the file tracking.php. The manipulation of the argument header with an unknown input leads to a file inclusion vulnerability. CWE is classifying the issue as CWE-73. The product allows user input to control or influence paths or file names that are used in filesystem operations. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

** DISPUTED ** PHP remote file inclusion vulnerability in tracking.php in Trackeur 1 allows remote attackers to execute arbitrary PHP code via a URL in the header parameter. NOTE: CVE and a third party dispute this vulnerability because header is defined before use. The researcher is known to be unreliable.

The weakness was disclosed 08/17/2007 (Website). It is possible to read the advisory at securityfocus.com. This vulnerability is uniquely identified as CVE-2007-4383 since 08/17/2007. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit.

The real existence of this vulnerability is still doubted at the moment. By approaching the search of inurl:tracking.php it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (36046).

Productinfo

Name

• Trackeur

Version

• 1

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion