CVE-2007-6187

Name of the Vulnerable Software and Affected Versions PHP Content Architect (aka NoAh) versions 0.9 through 1.2 and earlier

Description The issue allows remote attackers to read arbitrary files due to multiple directory traversal vulnerabilities. This can be achieved by including a .. (dot dot) in the filepath parameter to API endpoints such as "css file.php", "js file.php", or "xml file.php" in the noah/modules/nosystem/templates/ directory.

Recommendations For PHP Content Architect (aka NoAh) versions 0.9 through 1.2 and earlier, consider restricting access to the vulnerable API endpoints "css file.php", "js file.php", and "xml file.php" until a patch is available. Avoid using the filepath parameter in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.