CVE-2009-3508

Name of the Vulnerable Software and Affected Versions MUJE CMS version 1.0.4.34

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the class parameter to "admin.php" and the url parameter to "install/install.php". Additionally, it allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the htmlfile parameter to "admin.php".

Recommendations For MUJE CMS version 1.0.4.34, as a temporary workaround, consider restricting access to the "admin.php" and "install/install.php" files until a patch is available. Avoid using the class and url parameters in the affected API endpoints, and restrict the htmlfile parameter to prevent reading arbitrary files.