CVE-2006-6047

Name of the Vulnerable Software and Affected Versions Etomite version 0.6.1.2

Description The issue allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the f parameter. This can be demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php.

Recommendations For Etomite version 0.6.1.2, consider restricting access to the f parameter in the manager/index.php file to prevent directory traversal attacks. As a temporary workaround, restrict the ability of administrators to include local files using the .. (dot dot) sequence in the f parameter until a patch is available.