CVE-2007-4485

critical

Description

PHP remote file inclusion vulnerability in visitor.php in Butterfly online visitors counter 1.08, when used with certain older versions of PHP with improper SERVER superglobal handling, allows remote attackers to execute arbitrary PHP code via a URL in the _SERVER[DOCUMENT_ROOT] parameter. NOTE: it could be argued that this vulnerability is caused by a problem in PHP and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in Butterfly online visitors counter.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/36147

http://www.securityfocus.com/archive/1/482006/100/0/threaded

http://www.securityfocus.com/archive/1/477253/100/0/threaded

http://securityvulns.com/source26994.html

http://osvdb.org/38327

Details

Source: Mitre, NVD

Published: 2007-08-22

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00973