Stormhacker

**Name of the Vulnerable Software and Affected Versions** MKPortal version 1.0.1 Final **Description** The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the `language` cookie. This can be demonstrated by using a `gl session` cookie to inject PHP sequences into the error.log file, which is then included by index.php with malicious commands accessible by the `ind` parameter. **Recommendations** For MKPortal version 1.0.1 Final, consider restricting access to the `language` cookie and the `ind` parameter in index.php to minimize the risk of exploitation. As a temporary workaround, restrict the inclusion of local files by index.php until a patch is available.