CVE-2010-4399

Name of the Vulnerable Software and Affected Versions DynPG CMS versions 4.1.1 through 4.2.0

Description The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the languages.inc.php file when magic quotes gpc is disabled. This can be exploited by sending a .. (dot dot) in the CHG DYNPG SET LANGUAGE parameter to "index.php".

Recommendations For DynPG CMS versions 4.1.1 through 4.2.0, consider disabling the CHG DYNPG SET LANGUAGE parameter in the "index.php" file until a patch is available, or enable magic quotes gpc to prevent the directory traversal vulnerability.