Core Security Technologies Advisory - When the install script for e107 CMS has not been removed, an attacker can "reinstall" the application using arbitrary parameters. If the attacker puts a valid MySql server followed a semicolon and PHP code, this will be executed when the config file gets requested. This parameters are stored in the config file "e107_config.php". Version 0.7.24 is affected.
f1aa6364a9b7aec87affa0e57cc0ec5d09d69d9a12a32fe5e884c8288d964039