cbcvebase.
CVE-2007-4636
published 2007-08-31

CVE-2007-4636: Multiple PHP remote file inclusion vulnerabilities in phpBG 0.9.1 allow remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter to…

PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.06%
99.3th percentile
Multiple PHP remote file inclusion vulnerabilities in phpBG 0.9.1 allow remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter to (1) intern/admin/other/backup.php, (2) intern/admin/, (3) intern/clan/member_add.php, (4) intern/config/key_2.php, or (5) intern/config/forum.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
phpbgphpbg

Detection & IOCsextracted from sources · hover to see the quote

path/intern/admin/other/backup.php
path/intern/admin/
path/intern/clan/member_add.php
path/intern/config/key_2.php
path/intern/config/forum.php
  • Detect HTTP requests targeting phpBG scripts with a user-controlled `rootdir` parameter containing a remote URL (RFI pattern), particularly to the five known vulnerable paths.
  • Flag GET requests where the `rootdir` query parameter value begins with `http://` or `https://` against any of the five vulnerable phpBG endpoints.
  • The `admin=1` parameter accompanies the RFI payload specifically on the backup.php endpoint; include this in detection logic for that path.
  • ·The PoC uses a placeholder value ('Shell') for the rootdir parameter; in real attacks this would be replaced with a remote URL pointing to attacker-controlled PHP code. Detection rules should match on URL-like values (e.g., http://, https://, ftp://) in the rootdir parameter, not the literal string 'Shell'.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.