Frontaccounting Improper Control of Generation of Code (Code Injection) Vulnerability - CVE-2007-5148

DISPUTED Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.12 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/logout.php or certain PHP scripts under (2) admin/ (3) dimensions/ (4) gl/ (5) inventory/ (6) manufacturing/ (7) purchasing/ (8) reporting/ (9) sales/ or (10) taxes/. NOTE: the config.php vector is already covered by CVE-2007-4279 and the login.php and language.php vectors are already covered by CVE-2007-5117. NOTE: this issue is disputed by CVE because path_to_root is defined before use in all of the other files reported in the original disclosure.