CVE-2008-5728

Name of the Vulnerable Software and Affected Versions AIST NetCat versions 3.12 and earlier

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the system parameter in "modules/netshop/post.php" and the INCLUDE FOLDER parameter in various files, including "auth.inc.php", "banner.inc.php", "blog.inc.php", and "forum.inc.php" in "modules/". This can occur when magic quotes gpc is disabled and register globals is enabled.

Recommendations For AIST NetCat versions 3.12 and earlier, consider disabling the register globals setting and enabling magic quotes gpc to mitigate the risk of exploitation. Additionally, restrict access to the vulnerable parameters, such as system and INCLUDE FOLDER, in the affected files until a patch is available. As a temporary workaround, consider removing or restricting the .. (dot dot) sequence in user-input data for the system parameter in "modules/netshop/post.php" and the INCLUDE FOLDER parameter in the mentioned files.