CVE-2008-6551

Name of the Vulnerable Software and Affected Versions e-Vision CMS versions 2.0.2 and earlier

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in specific parameters. This can be achieved by manipulating the adminlang cookie to admin/ind ex.php or the module parameter to various PHP files in the adminpart directory of different modules, such as add3rdparty.php, addpolling.php, addcontact.php, addbrandnews.php, addnewsletter.php, addgame.php, addtour.php, addarticles.php, addproduct.php, or addplain.php. The vulnerability is particularly exploitable when magic quotes gpc is disabled.

Recommendations For e-Vision CMS versions 2.0.2 and earlier, consider disabling the execution of arbitrary local files until a patch is available. Restrict access to the vulnerable PHP files in the adminpart directory of different modules to minimize the risk of exploitation. Avoid using the module parameter in the affected API endpoints until the issue is resolved. As a temporary workaround, enable magic quotes gpc to prevent the exploitation of the directory traversal vulnerability.