CVE-2009-2220

Name of the Vulnerable Software and Affected Versions Tribiq CMS version 5.0.12c

Description The issue allows remote attackers to include and possibly execute arbitrary files via directory traversal sequences in certain parameters. This is possible when register globals is enabled and magic quotes gpc is disabled. The vulnerable parameters include template path in files such as "masthead.inc.php", "toppanel.inc.php", and "contact.inc.php" in the "templates/mytribiqsite/tribiq-CL-9000/includes" directory, and the use template family parameter in "nlarlist content.inc.php".

Recommendations For Tribiq CMS version 5.0.12c, consider disabling the register globals setting and enabling magic quotes gpc to mitigate the risk. Additionally, restrict access to the vulnerable files, such as "masthead.inc.php", "toppanel.inc.php", "contact.inc.php", and "nlarlist content.inc.php", to minimize the risk of exploitation. Avoid using the template path and use template family parameters in the affected API endpoints until the issue is resolved.