CVE-2007-0635

Name of the Vulnerable Software and Affected Versions EncapsCMS version 0.3.6

Description The issue allows remote attackers to execute arbitrary PHP code. This can be achieved via a URL in the config[path] parameter to "common foot.php" or "blogs.php", or the config[theme] parameter to "admin/gallery head.php".

Recommendations For EncapsCMS version 0.3.6, consider restricting access to the config[path] and config[theme] parameters to prevent remote file inclusion attacks. As a temporary workaround, avoid using the config[path] parameter in "common foot.php" and "blogs.php", and the config[theme] parameter in "admin/gallery head.php" until a patch is available.