Vincent Audet Mnard

**Name of the Vulnerable Software and Affected Versions** AlternC versions 0.9.5 and earlier **Description** The issue allows remote attackers to create arbitrary files and directories, as well as read arbitrary files, by exploiting directory traversal vulnerabilities in specific files. This is achieved by using a .. (dot dot) in the `create name` field for creating files and directories, and in the `web root` field for reading files when configuring a subdomain. **Recommendations** For AlternC versions 0.9.5 and earlier, consider restricting access to the vulnerable files class/functions.php and class/m bro.php until a patch is available. As a temporary workaround, avoid using the .. (dot dot) sequence in the `create name` and `web root` fields when configuring subdomains. At the moment, there is no information about a newer version that contains a fix for this vulnerability.