CVE-2007-6191 in p.mapperinfo

Summary

by MITRE

Multiple PHP remote file inclusion vulnerabilities in Armin Burger p.mapper 3.2.0 beta3 allow remote attackers to execute arbitrary PHP code via a URL in the _SESSION[PM_INCPHP] parameter to (1) incphp/globals.php or (2) plugins/export/mc_table.php. NOTE: it could be argued that this vulnerability is caused by a problem in PHP and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in p.mapper.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 11/03/2025

The CVE-2007-6191 vulnerability represents a critical remote file inclusion flaw discovered in Armin Burger p.mapper version 3.2.0 beta3, a web-based mapping application designed for geographic information system operations. This vulnerability exists within the application's session handling mechanism where the _SESSION[PM_INCPHP] parameter is improperly validated, creating an avenue for malicious actors to inject and execute arbitrary PHP code on the target server. The vulnerability specifically affects two key files within the application's architecture: incphp/globals.php and plugins/export/mc_table.php, both of which process user-supplied input without adequate sanitization or validation. The flaw stems from the application's failure to properly validate or escape user-provided URLs before incorporating them into the application's execution flow, allowing attackers to manipulate the session variables to reference external malicious files.

This vulnerability directly maps to CWE-88, which describes the weakness of allowing command injection through improper handling of input data, and more specifically to CWE-94, which addresses the execution of arbitrary code due to insufficient input validation and sanitization. The operational impact of this vulnerability is severe as it enables remote code execution, potentially allowing attackers to gain complete control over the affected web server. An attacker could leverage this vulnerability to upload malicious files, execute system commands, access sensitive data, or establish persistent backdoors within the application environment. The vulnerability's remote nature means that exploitation does not require local system access, making it particularly dangerous for web applications that are publicly accessible. The fact that this issue affects core application files like globals.php indicates that successful exploitation could compromise the entire application's integrity and potentially the underlying server infrastructure.

The attack vector for this vulnerability demonstrates a classic remote file inclusion (RFI) exploit pattern where malicious actors craft specially formatted URLs that are then processed by the vulnerable application. When the application attempts to include these URLs as PHP files, the server executes the malicious code contained within them, effectively providing the attacker with a foothold in the target system. This vulnerability aligns with ATT&CK technique T1190, which describes the use of remote file inclusion to execute malicious code on target systems. The exploitation process typically involves crafting a malicious URL that references a remote PHP file hosted on the attacker's server, then manipulating the _SESSION[PM_INCPHP] parameter to point to this malicious resource. The vulnerability's classification as a remote code execution flaw places it in the high-risk category, as it can be exploited by anyone with access to the vulnerable application, making it particularly attractive to automated attack tools and malicious actors seeking to compromise web applications at scale.

The recommended mitigations for this vulnerability focus on implementing proper input validation and sanitization mechanisms within the application's codebase. The primary fix involves ensuring that all user-supplied input, particularly session variables, undergoes rigorous validation before being processed or included in any execution context. Developers should implement strict whitelisting of acceptable values for the _SESSION[PM_INCPHP] parameter, rejecting any input that does not match predefined safe patterns or paths. Additionally, the application should disable remote file inclusion features entirely by configuring PHP settings to prevent the inclusion of remote files, or by implementing robust input filtering that strips out potentially dangerous characters and protocols. Organizations should also consider implementing web application firewalls to detect and block suspicious requests attempting to exploit this vulnerability, while maintaining regular security audits and code reviews to identify similar issues within the application's architecture. The vulnerability's potential for causing significant damage underscores the importance of immediate patching and remediation, as the risk of exploitation increases with the time between vulnerability disclosure and implementation of protective measures.

Reservation

11/29/2007

Disclosure

11/29/2007

Moderation

accepted

Entry

VDB-39895

CPE

ready

Exploit

Download

EPSS

0.02187

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!