CVE-2008-6537

Name of the Vulnerable Software and Affected Versions LightNEasy version 1.2

Description The issue allows remote attackers to obtain the hash of the administrator password. This is achieved by exploiting the setup "do" action to LightNEasy.php. Although the variable is cleared from $ GET, it can still be accessed using $ REQUEST, thus allowing the attack.

Recommendations For version 1.2, consider restricting access to the LightNEasy.php file until a patch is available, or ensure that the setup "do" action is properly validated and sanitized to prevent unauthorized access. As a temporary workaround, avoid using the $ REQUEST variable to access sensitive data, and instead, use $ GET or $ POST explicitly to minimize the risk of exploitation.