CVE-2010-1360 in FAQEngine
Summary
by MITRE
Multiple PHP remote file inclusion vulnerabilities in FAQEngine 4.24.00 allow remote attackers to execute arbitrary PHP code via a URL in the path_faqe parameter to (1) attachs.php, (2) backup.php, (3) badwords.php, (4) categories.php, (5) changepw.php, (6) colorchooser.php, (7) colorwheel.php, (8) dbfiles.php, (9) diraccess.php, (10) faq.php, (11) index.php, (12) kb.php, and (13) stats.php.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/16/2025
The vulnerability identified as CVE-2010-1360 represents a critical remote file inclusion flaw affecting FAQEngine version 4.24.00, which falls under the Common Weakness Enumeration category CWE-88 - Improper Neutralization of Argument Delimiters in a Command. This vulnerability manifests across multiple script files within the application, creating a widespread attack surface that enables remote adversaries to execute arbitrary PHP code through manipulation of the path_faqe parameter. The affected files include attachs.php, backup.php, badwords.php, categories.php, changepw.php, colorchooser.php, colorwheel.php, dbfiles.php, diraccess.php, faq.php, index.php, kb.php, and stats.php, demonstrating the severity and scope of the issue. The vulnerability stems from insufficient input validation and sanitization mechanisms that fail to properly filter user-supplied data before incorporating it into file path operations.
The technical exploitation of this vulnerability occurs when an attacker supplies a malicious URL as the value for the path_faqe parameter in any of the affected scripts. This allows the application to include and execute remote PHP code, effectively bypassing local security controls and potentially granting full system access to the compromised server. The flaw operates at the core of the application's file inclusion mechanism, where user input directly influences the file system operations without adequate sanitization or validation. This type of vulnerability is particularly dangerous because it can be exploited through various entry points within the application, making it difficult to secure all potential attack vectors. The vulnerability aligns with ATT&CK technique T1190 - Exploit Public-Facing Application, which describes how adversaries target applications accessible from external networks to gain initial access to systems.
The operational impact of CVE-2010-1360 extends beyond simple code execution, potentially allowing attackers to establish persistent backdoors, exfiltrate sensitive data, or use the compromised system as a launch point for further attacks within the network infrastructure. Given that FAQEngine is a web-based application, the attack surface includes not only the application itself but also any underlying systems that may be accessible through the compromised server. The vulnerability's presence in multiple files suggests that the application's architecture lacks proper input validation at the point of entry, creating a systemic weakness rather than an isolated flaw. Organizations running affected versions of FAQEngine face significant risk of unauthorized access, data breaches, and potential complete system compromise. The vulnerability also exposes the application to secondary attacks such as web shell deployment, which can provide attackers with ongoing access and control over the compromised environment. Security professionals should note that this vulnerability type represents a classic example of how insufficient input validation can create pathways for remote code execution, emphasizing the critical importance of implementing proper sanitization and validation mechanisms throughout application development processes.