CVE-2006-0132

Name of the Vulnerable Software and Affected Versions: SysCP WebFTP version 1.2.6 and possibly earlier

Description: The issue allows remote attackers to include and execute arbitrary local PHP scripts, and possibly read other types of files, via a .. (dot dot) and a trailing null in the webftp language parameter. This is a directory traversal vulnerability in the webftp.php file.

Recommendations: For SysCP WebFTP version 1.2.6 and possibly earlier, consider restricting access to the webftp language parameter to prevent exploitation until a patch is available. As a temporary workaround, avoid using the webftp language parameter with .. (dot dot) sequences and trailing nulls. At the moment, there is no information about a newer version that contains a fix for this vulnerability.