CVE-2010-1063 in Free Real Estate Contact Form Script
Summary
by MITRE
Multiple directory traversal vulnerabilities in Phpkobo Free Real Estate Contact Form 1.09, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the LANG_CODE parameter to (1) codelib/cfg/common.inc.php, (2) form/app/common.inc.php, and (3) staff/app/common.inc.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/03/2026
This vulnerability exists in Phpkobo Free Real Estate Contact Form version 1.09 where directory traversal flaws allow remote attackers to execute arbitrary local files through manipulation of the LANG_CODE parameter. The issue specifically manifests when the magic_quotes_gpc PHP configuration setting is disabled, creating a dangerous environment where user input is not properly sanitized before being processed. The vulnerability affects three distinct files within the application's directory structure: codelib/cfg/common.inc.php, form/app/common.inc.php, and staff/app/common.inc.php, all of which accept the LANG_CODE parameter without adequate validation. These directory traversal sequences enable attackers to navigate outside the intended directory boundaries and include local files that should remain inaccessible to external users. The exploitation occurs because the application fails to properly sanitize user-supplied input before using it in file inclusion operations, allowing attackers to craft malicious URLs that can access system files or execute arbitrary code on the server. This represents a classic path traversal vulnerability that can be classified under CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory, commonly known as directory traversal or path traversal attacks. The vulnerability aligns with ATT&CK technique T1059.007, which involves the execution of code through command and scripting interpreters, as the included files may contain executable code that gets processed by the web server. The impact of this vulnerability extends beyond simple information disclosure, as it can enable full system compromise through the execution of arbitrary code, potentially allowing attackers to gain persistent access to the server. The attack vector requires no special privileges and can be executed remotely, making it particularly dangerous in web applications where user input is expected and processed. The vulnerability's severity is amplified by the fact that it operates under the assumption that magic_quotes_gpc is disabled, which is a configuration that many older applications rely on for basic input sanitization. This creates a dangerous attack surface where attackers can leverage the absence of proper input validation to escalate privileges and gain unauthorized access to system resources. The affected application components represent critical parts of the system's configuration and functionality, making successful exploitation particularly impactful for the overall security posture of the web application. The vulnerability demonstrates a fundamental flaw in input validation practices where the application does not properly restrict user input to prevent access to unauthorized files. This type of vulnerability often leads to complete system compromise as attackers can leverage it to read sensitive configuration files, execute malicious code, or establish backdoors within the application environment. The remediation approach must focus on implementing proper input validation, sanitization, and access controls to prevent unauthorized file access. Security practitioners should ensure that all user-supplied input is properly validated and sanitized before being used in file operations, and that the application enforces strict access controls to prevent directory traversal attacks. The vulnerability serves as a reminder of the critical importance of proper input validation and the dangers of relying on deprecated security mechanisms like magic_quotes_gpc, which should be disabled in modern PHP applications due to their limited effectiveness against contemporary attack vectors.