CVE-2006-3602

Name of the Vulnerable Software and Affected Versions FarsiNews version 3.0 BETA 1

Description A directory traversal issue exists, allowing remote attackers to include arbitrary files. This is achieved by using a .. (dot dot) sequence and a trailing null (%00) byte in the language parameter within the advanced theme.

Recommendations For FarsiNews version 3.0 BETA 1, consider restricting access to the tiny mce gzip.php file in the jscripts/tiny mce directory until a patch is available. As a temporary workaround, avoid using the language parameter in the advanced theme to minimize the risk of exploitation.