CVE-2008-4155

Name of the Vulnerable Software and Affected Versions EasySite version 2.3

Description The issue allows remote attackers to read arbitrary files or list directories via a .. (dot dot) in various parameters. This can be achieved through the module or action parameter in "www/index.php", the module, ss module, or ss action parameter in "modules/Module/index.php" or "modules/Themes/index.php", or the module parameter in "inc/vmenu.php".

Recommendations For EasySite version 2.3, consider restricting access to the vulnerable parameters module, action, ss module, and ss action in the affected API endpoints until a patch is available. As a temporary workaround, avoid using the module parameter in "inc/vmenu.php" and restrict access to the module and action parameters in "www/index.php". Also, limit access to the module, ss module, and ss action parameters in "modules/Module/index.php" and "modules/Themes/index.php" to minimize the risk of exploitation.