CVE-2008-6884

Name of the Vulnerable Software and Affected Versions: XOOPS version 2.3.1

Description: The issue allows remote attackers to include and execute arbitrary local files due to multiple directory traversal vulnerabilities. This is possible when register globals is enabled, and a .. (dot dot) is used in the xoopsConfig[language] parameter to access certain files, such as blocks.php and main.php in the xoops lib/modules/protector/ directory.

Recommendations: For XOOPS version 2.3.1, consider disabling the register globals setting to mitigate the risk of exploitation. Additionally, restrict access to the blocks.php and main.php files in the xoops lib/modules/protector/ directory until a patch is available. Avoid using the xoopsConfig[language] parameter with untrusted input in the affected API endpoints.