CVE-2005-2865

Name of the Vulnerable Software and Affected Versions aMember Pro version 2.3.4

Description The issue allows remote attackers to execute arbitrary PHP code via the config[root dir] parameter to various PHP files, including (1) mysql.inc.php, (2) efsnet.inc.php, (3) theinternetcommerce.inc.php, (4) cdg.inc.php, (5) compuworld.inc.php, (6) directone.inc.php, (7) authorize aim.inc.php, (8) beanstream.inc.php, (9) config.inc.php, (10) eprocessingnetwork.inc.php, (11) eway.inc.php, (12) linkpoint.inc.php, (13) logiccommerce.inc.php, (14) netbilling.inc.php, (15) payflow pro.inc.php, (16) paymentsgateway.inc.php, (17) payos.inc.php, (18) payready.inc.php, or (19) plugnplay.inc.php.

Recommendations As a temporary workaround, consider restricting access to the config[root dir] parameter in the affected PHP files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.