CVE-2005-4317

Name of the Vulnerable Software and Affected Versions Limbo CMS versions 1.0.4.2 and earlier

Description The issue allows remote attackers to modify the $ SERVER variable, which can be used to conduct cross-site scripting (XSS) attacks in the stats module or execute arbitrary code via an eval injection attack in the wrapper option in "index2.php". This is possible when the register globals setting is off.

Recommendations For Limbo CMS versions 1.0.4.2 and earlier, as a temporary workaround, consider disabling the eval function in the wrapper option in "index2.php" until a patch is available. Restrict access to the stats module to minimize the risk of XSS attacks. Avoid using the SERVER[REMOTE ADDR] parameter in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.