CVE-2006-4914

Name of the Vulnerable Software and Affected Versions A.l-Pifou version 1.8p2

Description The issue allows remote attackers to read arbitrary files via ".." sequences in the ze langue 02 cookie. This can be achieved by using the choix lng parameter to choix langue.php to indirectly set the cookie, then accessing livre dor.php to trigger the inclusion from inc/change lang ck.php. There is a possible relationship with livre livre.php, as reported by some third-party sources.

Recommendations For A.l-Pifou version 1.8p2, consider restricting access to the choix langue.php and livre dor.php scripts until a patch is available. As a temporary workaround, avoid using the choix lng parameter in the choix langue.php script to minimize the risk of exploitation.