CVE-2008-2520

Name of the Vulnerable Software and Affected Versions BigACE version 2.4

Description The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This can be achieved via a URL in the GLOBALS[ BIGACE][DIR][addon] parameter to files such as "addon/smarty/plugins/function.captcha.php" and "system/classes/sql/AdoDBConnection.php", and the GLOBALS[ BIGACE][DIR][admin] parameter to files like "item information.php", "jstree.php" in "system/application/util/", and "system/admin/plugins/menu/menuTree/plugin.php".

Recommendations For BigACE version 2.4, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the vulnerable parameters GLOBALS[ BIGACE][DIR][addon] and GLOBALS[ BIGACE][DIR][admin] until a patch is available. As a temporary workaround, avoid using these parameters in the affected API endpoints.