CARE2X contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the inc_charset_fx.php script not properly sanitizing user input supplied to the 'root_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

At the time of disclosure, version 1.1 was roughly three years old (2004-01-11) and had been superceded by several versions up to and including 2.2.

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: turn the register_globals PHP option to 'off'.

• CVE ID: 2007-1458 (see also: NVD)
• Bugtraq ID: 22951
• Secunia Advisory ID: 24481
• ISS X-Force ID: 32981
• Related OSVDB ID: 34044 34046 34047 34048 34049 34050 34051 34052 34053 34054 34055 34056 34057 34058 34059 34060
• Milw0rm: 3472
• Exploit Database: 3472
• VUPEN Advisory: ADV-2007-0938
• Other Advisory URL: http://advisories.echo.or.id/adv/adv72-theday-2007.txt
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0173.html
• Vendor URL: http://www.care2x.org

• Dedi Dwianto a.k.a the_day - erdcecho.or.id - EcHo Research & Development Center