CVE-2006-3554

Name of the Vulnerable Software and Affected Versions MKPortal version 1.0.1 Final

Description The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the language cookie. This can be demonstrated by using a gl session cookie to inject PHP sequences into the error.log file, which is then included by index.php with malicious commands accessible by the ind parameter.

Recommendations For MKPortal version 1.0.1 Final, consider restricting access to the language cookie and the ind parameter in index.php to minimize the risk of exploitation. As a temporary workaround, restrict the inclusion of local files by index.php until a patch is available.