CVE-2010-1934 in openPlanning
Summary
by MITRE
Multiple PHP remote file inclusion vulnerabilities in openMairie openPlanning 1.00, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) categorie.class.php, (2) profil.class.php, (3) collectivite.class.php, (4) ressource.class.php, (5) droit.class.php, (6) utilisateur.class.php, and (7) planning.class.php in obj/.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/21/2025
The vulnerability identified as CVE-2010-1934 represents a critical remote file inclusion flaw affecting openMairie openPlanning version 1.00. This vulnerability stems from the improper handling of user-supplied input within the application's object-oriented architecture, specifically targeting the path_om parameter across multiple class files. The flaw exists in the context where register_globals is enabled, creating a dangerous condition that allows attackers to inject malicious file paths into the application's execution flow. The affected files include categorie.class.php, profil.class.php, collectivite.class.php, ressource.class.php, droit.class.php, utilisateur.class.php, and planning.class.php, all located within the obj/ directory structure. This widespread impact across multiple core application components demonstrates the severity of the vulnerability's scope.
The technical exploitation of this vulnerability relies on the PHP configuration where register_globals is enabled, which automatically creates global variables from request parameters. When an attacker supplies a malicious URL in the path_om parameter, the application's code fails to properly validate or sanitize this input before incorporating it into file inclusion operations. The vulnerability is classified under CWE-88, which addresses the improper neutralization of special elements in input that could be interpreted as command or control instructions. This flaw allows attackers to execute arbitrary PHP code on the target server by leveraging the predictable inclusion pattern of the application's object model. The vulnerability operates at the intersection of input validation failures and insecure file handling practices, creating a pathway for remote code execution that bypasses normal application security controls.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with complete control over the affected server environment. Successful exploitation enables malicious actors to upload and execute additional malware, escalate privileges, access sensitive data, and potentially use the compromised system as a launching point for further attacks within the network. The vulnerability affects the integrity and confidentiality of the openPlanning application, which likely manages sensitive municipal data and user information. From an attack perspective, this vulnerability maps to ATT&CK technique T1190, which involves using remote services to gain initial access to target systems. The exploitation requires minimal technical sophistication, making it particularly dangerous as it can be leveraged by attackers with varying skill levels to compromise entire server infrastructures.
Mitigation strategies for this vulnerability require immediate implementation of multiple defensive measures. The primary recommendation involves disabling register_globals in the PHP configuration, which eliminates the core condition enabling this attack vector. Additionally, proper input validation and sanitization must be implemented throughout the application, particularly for all parameters that influence file inclusion operations. The application should employ a whitelist-based approach for file paths, rejecting any input that does not match predefined safe patterns. Network-level controls including firewalls and intrusion detection systems should be configured to monitor for suspicious URL patterns and parameter injection attempts. Regular security auditing and code review practices should be established to identify similar vulnerabilities in other application components, as this flaw demonstrates a systemic issue in how the application handles external input. The vulnerability also underscores the importance of keeping software components updated and following secure coding practices as outlined in OWASP Top 10 security guidelines, particularly addressing the risks associated with insecure direct object references and insecure file operations.