CVE-2008-2913

Name of the Vulnerable Software and Affected Versions Devalcms version 1.4a

Description A directory traversal issue exists due to the lack of proper input validation in the func.php file when magic quotes gpc is disabled. This allows remote attackers to include and execute arbitrary local files by manipulating the currentpath parameter with a .. (dot dot) sequence, in combination with specific ... (triple dot) and ..... sequences in the currentfile parameter, to index.php.

Recommendations For Devalcms version 1.4a, consider disabling the execution of external files through the func.php file until a proper patch is available, and ensure magic quotes gpc is enabled to mitigate the risk of directory traversal attacks.