CVE-2009-0674

Name of the Vulnerable Software and Affected Versions RavenNuke version 2.30

Description The issue allows remote attackers to determine the existence of local files by sending requests with full pathnames in the aFonts array parameter and observing the error messages. This is possible when register globals and display errors are enabled. The error messages differ between existing and nonexistent pathnames, enabling attackers to gather information about the local file system.

Recommendations For RavenNuke version 2.30, disable register globals and display errors to prevent exploitation. As a temporary workaround, consider restricting access to the images/captcha.php file until a patch is available. Avoid using the aFonts array parameter in the affected endpoint until the issue is resolved.