CVE-2006-5894

Name of the Vulnerable Software and Affected Versions Rama CMS versions 0.68 and earlier

Description A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This is achieved by injecting PHP sequences into an Apache HTTP Server log file, which is then included, via a .. (dot dot) in the lang cookie when register globals is enabled.

Recommendations For Rama CMS versions 0.68 and earlier, disable the register globals setting to prevent exploitation. Consider updating the lang.php file to properly sanitize the lang cookie to prevent directory traversal attacks. As a temporary workaround, consider restricting access to the lang.php file until a patch is available.