PHPOF v1: CVE-2007-4763 statement

This page is about the original version of PHPOF (version 1). This has been superceded by the completely-rewritten PHPOF version 2.

According to CVE-2007-4763 there is a remote file inclusion vulnerability in PHPOF, snapshot <= 20040226.

This is only true where PHPOF is installed in an environment configured with register_globals turned on. Although not stated explicitly at the time in the documentation, PHPOF is intended to be used in an environment in which register_globals is turned off - in which case there is no vulnerability.

Additionally, example exploits given depend not only on register_globals being turned on, but also on PHPOF being installed in a web-accessible directory. Again, this would be a poor configuration choice. Good practice dictates that server-side libraries should always be installed in a directory outside the public "document root", and it is intended/envisaged that PHPOF is installed as such. Such an installation mitigates the problem even if register_globals is turned on, since in that case applications using PHPOF are only vulnerable if they specifically use the ADODB backend for PHPOF (an extremely unusual case).

Notwithstanding the above, recent releases of PHPOF (now known as PHPOF1) do not include the above "vulnerability". Specifically, version 1.0.2 and above do not contain it, including the most recent release listed on the download page. The included documentation also explicitly advises against the configuration scenarios which gave rise to the issue.

PHPOF2 is not susceptible to the above issue in any configuration.

Sadly this issue was never reported or notified to me directly by any organisation or individual.

Tim Jackson
29 December 2008

©2001-2009 Tim Jackson