Title : GForge "PATH_INFO" Variable Processing Remote Command Injection Vulnerability VUPEN ID : VUPEN/ADV-2007-1942 CVE ID : CVE-2007-0246
Rated as : High Risk
Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2007-05-25
Technical Description
A vulnerability has been identified in GForge, which could be exploited by attackers to execute arbitrary code. This issue is caused by an input validation error in the "plugins/scmcvs/www/cvsweb.php" script that does not validate the "PATH_INFO" variable before being passed as an argument to a "passthru()" call, which could be exploited by remote attackers to inject and execute arbitrary shell commands with the privileges of the web server.
