CVE-2009-4896

Name of the Vulnerable Software and Affected Versions mlmmj versions 1.2.15 through 1.2.17

Description The issue allows remote authenticated users to overwrite, create, or delete arbitrary files, or determine the existence of arbitrary directories, via a .. (dot dot) in a list name in a (1) edit or (2) save action.

Recommendations For versions 1.2.15 through 1.2.17, consider restricting access to the mlmmj-php-admin web interface until a fix is available, and avoid using the edit or save actions with list names containing .. (dot dot) to minimize the risk of exploitation.