CVE-2006-3210

Name of the Vulnerable Software and Affected Versions Ralf Image Gallery (RIG) versions 0.7.4 through 0.9

Description The issue allows remote attackers to conduct PHP remote file inclusion and directory traversal attacks when register globals is enabled. This can be achieved via URLs or ".." sequences in the dir abs src parameter in files such as "check entry.php", "admin album.php", "admin image.php", and "admin util.php", and the dir abs admin src parameter in "admin album.php" and "admin image.php". This issue can also be leveraged to conduct cross-site scripting (XSS) attacks.

Recommendations For Ralf Image Gallery (RIG) versions 0.7.4 through 0.9, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the check entry.php, admin album.php, admin image.php, and admin util.php files, and avoid using the dir abs src and dir abs admin src parameters in the affected API endpoints until the issue is resolved.