Frog-M@N

**Name of the Vulnerable Software and Affected Versions** Nuked-KlaN versions 1.4b through 1.5b **Description** The issue allows remote attackers to read or include arbitrary files via .. sequences in the `user langue` parameter to "index.php" or the `langue` parameter to "update.php". It also enables modification of arbitrary GLOBAL variables by causing "globals.php" to be loaded before "conf.inc.php" via .. sequences in the `file` parameter with the `page` parameter set to "globals", or "../globals.php" in the `user langue` parameter. This can be demonstrated by modifying the `$nuked[prefix]` variable in the Suggest module. **Recommendations** For Nuked-KlaN versions 1.4b through 1.5b, consider disabling the `user langue` and `langue` parameters in the "index.php" and "update.php" files, respectively, until a patch is available. Restrict access to the "globals.php" file to minimize the risk of exploitation. Avoid using the `file` parameter with the `page` parameter set to "globals" in vulnerable versions.