CVE-2008-0478

Name of the Vulnerable Software and Affected Versions SetCMS version 3.6.5

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the set parameter. This can be achieved by sending a certain CLIENT IP HTTP header in an enter action to "index.php", and injecting PHP sequences into "files/enter.set", which is then included by "index.php".

Recommendations For SetCMS version 3.6.5, consider restricting access to the "index.php" file and avoid using the set parameter until a patch is available. As a temporary workaround, restrict write access to the "files/enter.set" file to minimize the risk of exploitation.